BlackCat Ransomware Group Vanishes After $22 Million Payout

BlackCat Ransomware

The menace actors behind the BlackCat ransomware have shut down their darknet web site and sure pulled an exit rip-off after importing a bogus regulation enforcement seizure banner.

“ALPHV/BlackCat didn’t get seized. They’re exit scamming their associates,” safety researcher Fabian Wosar said. “It’s blatantly apparent while you verify the supply code of the brand new takedown discover.”

“There may be completely zero motive why regulation enforcement would simply put a saved model of the takedown discover up throughout a seizure as a substitute of the unique takedown discover.”

The U.Ok.’s Nationwide Crime Company (NCA) told Reuters that it had no connection to any disruptions to the BlackCat infrastructure.

Recorded Future safety researcher Dmitry Smilyanets posted screenshots on the social media platform X wherein the BlackCat actors claimed that the “feds screwed us over” and that they supposed to promote the ransomware’s supply code for $5 million.

The disappearing act comes after it allegedly obtained a $22 million ransom cost from UnitedHealth’s Change Healthcare unit (Optum) and refused to share the proceeds with an affiliate that had carried out the assault.


The corporate has not commented on the alleged ransom cost, as a substitute stating it is solely targeted on investigation and restoration points of the incident.

In response to DataBreaches, the disgruntled affiliate – which had its account suspended by the executive employees – made the allegations on the RAMP cybercrime discussion board. “They emptied the pockets and took all the cash,” they mentioned.

This has raised speculations that BlackCat has staged an exit rip-off to evade scrutiny and resurface sooner or later underneath a brand new model. “A re-branding is pending,” a now-former admin of the ransomware group was quoted as saying.

BlackCat Ransomware

BlackCat had its infrastructure seized by regulation enforcement in December 2023, however the e-crime gang managed to wrest management of their servers and restart its operations with none main penalties. The group beforehand operated underneath the monikers DarkSide and BlackMatter.

“Internally, BlackCat could also be anxious about moles inside their group, and shutting up store preemptively may cease a takedown earlier than it happens,” Malachi Walker, a safety advisor with DomainTools, mentioned.

“Then again, this exit rip-off would possibly merely be a chance for BlackCat to take the money and run. Since crypto is as soon as once more at an all-time excessive, the gang can get away with promoting their product ‘excessive.’ Within the cybercrime world, status is every part, and BlackCat appears to be burning bridges with its associates with these actions.”

The group’s obvious demise and the abandonment of its infrastructure come as malware analysis group VX-Underground reported that the LockBit ransomware operation now not helps Lockbit Purple (aka Lockbit 2.0) and StealBit, a customized device utilized by the menace actor for information exfiltration.


LockBit has additionally tried to save lots of face by transferring a few of its actions to a brand new darkish internet portal after a coordinated regulation enforcement operation took down its infrastructure final month after a months-long investigation.

It additionally comes as Development Micro revealed that the ransomware household referred to as RA World (previously RA Group) has efficiently infiltrated healthcare, finance, and insurance coverage firms within the U.S., Germany, India, Taiwan, and different international locations since rising in April 2023.

Assaults mounted by the group “contain multi-stage elements designed to make sure most impression and success within the group’s operations,” the cybersecurity agency noted.

Notify of
Inline Feedbacks
View all comments
Previous Post
10 Essential Processes for Reducing the Top 11 Cloud Risks

10 Important Processes for Decreasing the Prime 11 Cloud Dangers

Next Post
Crypto Mining

Hackers Exploit Misconfigured YARN, Docker, Confluence, Redis Servers for Crypto Mining

Related Posts