BlackCat Ransomware Group Implodes After Apparent $22M Payment By Change Healthcare

An anonymous reader quotes a report from Krebs on Security: There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. "ALPHV") as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change's network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate's disclosure appears to have prompted BlackCat to cease operations entirely. [...]

The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a "ransomware-as-service" collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid. "But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin," the affiliate "Notchy" wrote. "Sadly for Change Healthcare, their data [is] still with us." [...] On the bright side, Notchy's complaint seems to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems. BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent. The ransomware group also declared it was formally removing any restrictions or discouragement against targeting hospitals and healthcare providers. However, instead of responding that they would compensate and placate Notchy, a representative for BlackCat said today the group was shutting down and that it had already found a buyer for its ransomware source code. [...] BlackCat's website now features a seizure notice from the FBI, but several researchers noted that this image seems to have been merely cut and pasted from the notice the FBI left in its December raid of BlackCat's network.

Fabian Wosar, head of ransomware research at the security firm Emsisoft, said it appears BlackCat leaders are trying to pull an "exit scam" on affiliates by withholding many ransomware payment commissions at once and shutting down the service. "ALPHV/BlackCat did not get seized," Wosar wrote on Twitter/X today. "They are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice." Dmitry Smilyanets, a researcher for the security firm Recorded Future, said BlackCat's exit scam was especially dangerous because the affiliate still has all the stolen data, and could still demand additional payment or leak the information on his own. "The affiliates still have this data, and they're mad they didn't receive this money, Smilyanets told Wired.com. "It's a good lesson for everyone. You cannot trust criminals; their word is worth nothing."

Good.

[muh_freeze_peach]

Good.

So that means...

[OpenSourced]

That criminals won't keep their word... colour me shocked!

Re:

[93 Escort Wagon]

There is no honor among thieves. - Proverbs 1:16

Re:

[gardyloo]

Is that the actual Proverbs 1:16 text (even amongst its many translations)?

Re: So that means...

[Midnight_Falcon]

It's about as real of a quotation as Austin 3:16 means I just whooped your...

Re:

[93 Escort Wagon]

When I was a kid, if we wanted to invent a bible quote we'd always declare some random chapter and verse from the "Book of Hezekiah".

Re: So that means...

[Midnight_Falcon]

So now you do it online and reference the (real) book of Proverbs for sentimental kicks?

Re:

[93 Escort Wagon]

No, per another reply - I thought it was in the bible, did a quick search (but didn't vet the link) that returned Proverbs 1:16.

So, I was sloppy.

Re:

[gardyloo]

Thanks for the response. I did the same searching and found the same [apparent] claim online. Various sites claim "no hono[u]r among thieves" as the meaning of Proverbs 1:16, but that seems highly iffy. Good ol' Biblical bull!

Re:

[Midnight_Falcon]

That's fair -- for what it's worth, I did some digging and found two Proverbs passages that are grossly misquoted in memes and various internet posts as saying "there is no honor amongst thieves", including the one you referenced. As for the saying itself, I did some digging and internet sources point to it originating with Cicero, or at least being popularized by Cicero. But, the Cicero passage [tufts.edu] quoted actually presents the sentiment that there must be some honor among thieves, or else their own outl

Re:

[quonset]

Is that the actual Proverbs 1:16 text (even amongst its many translations)?

No. According the King James version: For their feet run to evil, and make haste to shed blood. With one or two exceptions, all the various versions of the little book [biblehub.com] say the same thing.

Re:

[93 Escort Wagon]

Is that the actual Proverbs 1:16 text (even amongst its many translations)?

No idea - I thought it was from the bible, and when I typed the quote into a search engine it returned "Proverbs 1:16" as the top result. ...which I didn't click into and apparently was wrong, if the post further down is accurate.

Re:

[cob666]

That criminals won't keep their word... colour me shocked!

Up to now, the whole ransomware scheme has functioned on the premise that if a company pays the ransom, they will get the keys to unlock their data and BlackCat will delete whatever data they have. If BlackCat is cheating their 'partners' who still have access to the data and can still cause problems for the target then future ransomware targets will reconsider paying the ransom. Enough companies refuse to pay and the entire scheme will implode.

No way!

[doubledown00]

Cyber criminals cheat other cyber criminals out of money and don't keep their word to the ransomee?
Nickcageyoudon'tsay.gif

Honor among thieves

[PetiePooo]

What is this world coming to when there is no honor among thieves? There's supposed to be professional courtesy in every field, isn't there?

Rug pulling

[Anonymous Coward]

it's not just for the cryptobros any more!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Genuinely curious

[The-Ixian]

Sandboxing and detonating all inbound web content as well as application allow listing would probably have prevented this.

The problem is that operating systems come pre-installed with hundreds of admin tools and scripts meant for the enterprise admin professionals. But those same tools make it just as easy for an attacker to learn about the environment.

That's where gray listing can really help. If you put the pre-installed admin tools behind an elevation prompt, that would stop 99.999% of these intrusions in their tracks.

There is no reason for a standard user to be running powershell.exe, wmic.exe, csc.exe, reg.exe, cmdkey.exe, esentutl.exe, certutil.exe, at.exe, netsh.exe or any of the other built-in Windows admin utilities. Put those things behind a credential prompt and see how easily that malware spreads.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[conorjh]

not sure where hes got the details from but I cant find that "Sandboxing and whitelisting" would have "probably" prevented this...

How to move out from the mail server? How to locate what matters?

Third party AD credentials maybe? Ive seen that a few times - consultant got hacked, didnt realise... they often have better than user, less than admin permissions as well.

People often link their onsite with cloud... Iv seen quite a few hacks originate from the companys Azure tenants, which have visibility back to onsite AD etc, so not having domain creds wasnt an issue in that s

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[conorjh]

OK. But how? The stupid clerk clicks on the email's link. The software gets downloaded. To where?

clerks pc, which is on the domain. they now have that clerks permissions on the network and a node with inbound/outbound network

How can that software get out from that server and choose the one with all the relevant information?

youre right, further escalation is needed

How can all that be accomplished in a blind fashion via a generic piece of software (the best ever built if you want)?

theres a fair degree of automation in malware these days, but theres probably some amount of actual human recon done once they get a foothold. not ucommon to see they gained access but took months to find credentials in an email somewhere that allowed them the next step up

It doesn't look at all like a "oh shit! We got hacked because someone clicked on a link and the admins made a few stupid mistakes".

there must be millions of small offices in the western world that comp

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[conorjh]

In any case, note that the clerk doesn't have to be allowed to download files to his computer or, at least, not anywhere

take into account all the different software on a given machine, all the different vulnerabilities they could all have, then combine that with some sub-optimal choices around your security, permissions etc and its feasible

Re:

[XXongo]

Sandboxing and detonating all inbound web content as well as application allow listing would probably have prevented this.

Effective layered back-up would solve the ransomware problem.

Would not solve the disclosure problem, but then, as pointed out in the article, you can't trust the criminals to delete your data merely because you paid them millions to delete your data.

Re:

[Anonymous Coward]

There is no reason for a standard user to be running powershell.exe, wmic.exe, csc.exe, reg.exe, cmdkey.exe, esentutl.exe, certutil.exe, at.exe, netsh.exe or any of the other built-in Windows admin utilities. Put those things behind a credential prompt and see how easily that malware spreads.

Trivially.

A windows client computer can't authenticate users without communicating with a domain controller.
It isn't possible to both allow and deny a client computer from communicating with a domain controller.

The malware comes in by a user requesting it to in most all cases. It runs as that user.
There it has access to the networks domain controllers for that client.
It then fires off a series of zero day exploits against the domain controller in an attempt to gain some access to it.
Once running on the DC,

Re:Genuinely curious

[tlhIngan]

Every time I hear about ransomware, the first question coming to my mind is how in the hell all that can happen at all? Even by assuming that the entry point can't be fixed (usually, an idiot clicking on an email link or something like that, right?), how a generic piece of software can find its way through a presumably-unknown complex setup like here? How can it locate what matters? How can it even get close to that by assuming the most logical entry point (the mentioned email, presumably stored in an isolated location or, at least, one not having access to anything relevant)? Even by assuming the most perfect piece of software accounting for every possible scenario, some basic measures should be more than enough to avoid or highly restrict its actions, right? Various levels of incompetence (and/or malice) are needed for this to happen, am I wrong? Any security expert feeling like sharing some knowledge?

All it takes is a basic executable.

On a PC level, it's easy - the malware runs, and it basically starts encrypting every file it can - it enumerates all the files on the hard drive, then attempts to encrypt every file it can. It often then adds an executable header.

The executable header then determines if the PC it's running on is infected - if it is, it then pops up a alert saying the file is encrypted. If not, it then infects the PC and then shows the alert. And the infected PC then begins encrypting every file it has access to.

The way it spreads is because the encryption can prioritize certain files - things in your user directory are almost always writable by the user, as well as looking at what network shares you have access to and accessing and encrypting those files.

Sometimes the infection can be sneaky by encrypting all the files first, but silently decrypting them for the first few days so no one knows its there. Then boom, all at once, it goes off.

And yes, it's possible to restrict its actions - many antimalware software can detect this behavior of opening, encryptiong/writing, deleting/renaming files especially if it happens on a large number of files at once (you don't change many files every day). The problem is, this is behavioural pattern so you still can encrypt a few files before it gets caught.

You can also lock down what network files a user can write to, but you have to balance lockdowns against productivity - users need to write files to network shares because it's often being shared among several people.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Vlad_the_Inhaler]

A lot of Ransomware checks for installed Russian keyboard support, if that is present then it does not bother going any further. I would install that, except that my Windows machine does not have an email client set up - I only use it for specific tasks - so I don't see the need.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[The-Ixian]

This assumes that any given workstation has the ability to run random executable content from the web.

In this day and age, there is absolutely no reason whatsoever for computers that are subject to corporate governance to allow execution of untrusted content.

Re:

[Daina.0]

I worked for one of the related companies just over a decade ago. I don't know what it is like now, but back then it was awful to work there. They insisted on Windows for everyone even though development was for mainframes or RH Linux servers. The bureaucracy was insane. Policy was king, even if it didn't make sense (this part is still true now.) The hoops we had to jump through to get our work done was silly. Low and middle managers had zero power and traded seats once per year. Top management didn't

Re:

[account_deleted]

Comment removed based on user account deletion

It's too big a catch

[rsilvergun]

so they're gonna go to ground. If it's a state sponsored group they'll change their name, if not they'll take the money and try to run.

I'm surprised we haven't really cracked down on these guys. All it would take is some anti-money laundering laws around crypto currency. I guess the crypto bros have enough money to keep those laws from being enforced now. Too many politicians taking their money. And too many "small gov't" weirdos who get really upset about law enforcement unless it's a thug in blue crac

Re: It's too big a catch

[reanjr]

Pretty much all money laundering laws that apply to USD apply to cryptocurrency. Which laws do you think would actually have an impact?

Or are you just one of those people who is alright with money laundering as long as it happens in USD?

Re:

[conorjh]

All it would take is some anti-money laundering laws around crypto currency

i was once this naiive

Re: It's too big a catch

[Midnight_Falcon]

I think you missed the rise of Chainalysis, and numerous arrests from tracking the flow of crypto by such means -- including Razzlekhan. The problem is Russia allows these groups to operate as long as they don't target Russia or close allies. Considering almost every possible sanction I'd in place already against Russia, new AML laws would have zero effect.

Why is it legal to pay the ransom?

[FluxCap]

It should be illegal for a company to pay a ransom as it just incentivizes and funds an attack on the next company. The company should have spent the 22 million on security and good backup strategy. If they didn't, and they get ransomed, then then the people responsible at the company to prevent/mitigate the effects should be fired. If the people at the company risk jail if they pay a ransom then they will stop doing it. Once companies stop paying the ransoms they criminals will stop trying.

Re:

[laughingskeptic]

Even worse, in this case it is likely a sanctions violation since that $$$ went straight to Russian hackers. It is definitely not legal to give money hackers right now. Companies are working around this by paying "recovery consultants" which in turn use off shore affiliates to funnel money to hackers. So in addition to violating sanctions they are committing money laundering. I do wish the FBI would go after these companies, but there seems to be a "don't prosecute a big business victim ethos".

https: [state.gov]

Re:

[stooo]

>> The company should have spent the 22 million on security
They probably use Windows and Outlook.
No hope any spending whatsoever will change anything.

Re:

[ghoul]

As long as the NSA forces Microsoft to leave backdoors for their use, hackers will find and exploit those backdoors.

Re:

[thomn8r]

The company should have spent the 22 million on security and good backup strategy.

The Capitalist mindset is [[ $penalty < $profit ]] && ok

Re:

[CalgaryD]

What would be the socialist version of it?

Re:

[Snert32]

It's a "cost of doing business" and tax-deductable as a business expense. Businesses will take the lower-cost option (costs less to pay than to rebuild services from scratch). Not a question of ethics, google "pinto memo" or link here: https://www.spokesman.com/blog... [spokesman.com]

Re:

[grep -v '.*' *]

then then the people responsible at the company to prevent/mitigate the effects should be fired.

Really? As an architect, I know we should do it, but my boss's boss's boss tells us that something might be added in the budget for next year.

And you want ME to get fired?

Blame the hospital

[reanjr]

The hospital deserves to have all the data leaked. Stop fucking paying ransom, you worthless shits.

Re:

[iAmWaySmarterThanYou]

You ever worked with a hospital? I've only done it 3 times but damn dude these are the shittiest IT orgs I've ever worked with.

One of them I was on a call with the exec in charge of all data and responsible for all HIPAA compliance across a 6 hospital group. She was beating me up over us not having any sort of HIPAA controls (we mostly did financial data) and then cuts herself off, laughs, and says, "Oh, never mind, it's fine, we're not compliant, either!" Jfc.....

When you work with criminals...

[FrankOVD]

The most recurrent thing you see in bank heist movies is that the mastermind will ultimately try to eliminate his whole team to keep their shares for himself. Yet, there are still people stupid enough to play a subordinate role in such high crimes. You think you are the scammer, until you are the victim. It is sad that innocent people and public institutions are being attacked in such a way, but whoever willingly chose to work from criminals should know they are taking an insane risk of being either scammed, or become a fall guy. You can't expect shameless people to respect the code of honor they impose on their subordinates.

There is no honor among thieves

[jamesborr]

Has no one heard of the quote: " There is no honor among thieves.". Sheesh...

Key takeways

[Thoth Ptolemy]

Key takeaways:
Unless you have the capacity and capability to render sufficient violence, organized crime will always betray you.
Giving criminals and terrorists what they want only emboldens the criminals and terrorists (hence why the ceasefire-now cowards are just pro-Hamas scum).

omg

[groobly]

OMG, no honor among thieves!

No honor among theives

[kyoko21]

What people do and what motivates them to do what they do is different for everyone. Some may be in this dark twisted path because it's the only thing they have and they are just trying to put food on the table. Certainly these financial gains comes at the expense of others and unfortunately this is the way of the world for many others living on the other side of the train tracks. :-/

No honor

[Josepdin]

There is no honor amongst thieves.