The ransomware group responsible for hamstringing the prescription drug market for two weeks has suddenly gone dark, just days after receiving a $22 million payment and standing accused of scamming an affiliate out of its share of the loot.
The events involve AlphV, a ransomware group also known as BlackCat. Two weeks ago, it took down Change Healthcare, the biggest US health care payment processor, leaving pharmacies, health care providers, and patients scrambling to fill prescriptions for medicines. On Friday, the bitcoin ledger shows, the group received nearly $22 million in cryptocurrency, stoking suspicions the deposit was payment by Change Healthcare in exchange for AlphV decrypting its data and promising to delete it.
Representatives of Optum, the parent company, declined to say if the company has paid AlphV.
Honor among thieves
On Sunday, two days following the payment, a party claiming to be an AlphV affiliate said in an online crime forum that the nearly $22 million payment was tied to the Change Healthcare breach. The party went on to say that AlphV members had cheated the affiliate out of the agreed-upon cut of the payment. In response, the affiliate said it hadn’t deleted the Change Healthcare data it had obtained.
On Tuesday—four days after the bitcoin payment was made and two days after the affiliate claimed to have been cheated out of its cut—AlphV’s public dark web site started displaying a message saying it had been seized by the FBI as part of an international law enforcement action.
The UK’s National Crime Agency, one of the agencies the seizure message said was involved in the takedown, said the agency played no part in any such action. The FBI, meanwhile, declined to comment. The NCA denial, as well as evidence the seizure notice was copied from a different site and pasted into the AlphV one, has led multiple researchers to conclude the ransomware group staged the takedown and took the entire $22 million payment for itself.
“Since people continue to fall for the ALPHV/BlackCat cover up: ALPHV/BlackCat did not get seized,” Fabian Wosar, head of ransomware research at security firm Emsisoft, wrote on social media. “They are exit scamming their affiliates. It is blatantly obvious when you check the source code of the new takedown notice.”
Wosar accompanied his post with an image showing the page source used to render the supposedly seized AlphV homepage. The source indicated that the image in the seizure notice had been copied using File > Save page as command in the Tor browser. In December, the FBI and law enforcement partners around the world did, in fact, shut down many of the servers AlphV used, and for a time, the AlphV site displayed an image that’s identical to the one appearing on the site AlphV spun up following the takedown. Wosar and other researchers speculated that AlphV members simply copied the image from the older site and copied it to the newer one.
At the time this post was published on Ars, it appeared that the source for the seized site had been changed to remove the evidence it had been copied from elsewhere.
Exit stage left
The series of events suggests that after receiving the $22 million, AlphV decided to retire, or at least go on a temporary hiatus before reforming as a new group, a common move among ransomware groups when in the sights of law enforcement. Rather than pay the affiliate, AlphV decided to keep the entire amount. Then, rather than being transparent about the exit, AlphV posted a fake seizure notice to give the appearance it was being shut down by law enforcement.
If the speculation is correct, the most significant development in the entire series of events is the claim the affiliate made in the crime forum. It means that someone shelled out $22 million in return for its data and the promise that it would be deleted by any third parties. “Notchy,” the name used by the person claiming to be the affiliate cheated out of its cut, claims to be in possession of 4 terabytes worth of “critical” Change Healthcare data.
AlphV was first observed in late 2021 when it emerged with a never-before-seen encryptor that worked across both Windows and Linux. It coerced payments from victims using a triple extortion model that (1) encrypted data, (2) threatened to make it public, and (3) performed distributed denial-of-service attacks on the victim infrastructure. Like most of its peers, AlphV operates under a ransomware-as-a-service model, in which the core group provides the ransomware and infrastructure and looks to affiliates to do the actual hacking of victims. Then, both parties get a cut of any proceeds.
The FBI has said that several members of AlphV have ties to DarkSide, a ransomware group that suddenly went dark after breaching Colonial Pipeline, one of the biggest US suppliers of gasoline. Many researchers believe DarkSide suspended operations after the attack on Colonial Pipeline attracted too much attention from law enforcement. Then, after remaining dormant for a time, the group rebranded itself as AlphV/BlackCat.
AlphV exiting at this moment makes sense. Last month, the FBI struck a major blow at a different ransomware group known as Lockbit. The extent of the disruption—including the complete compromise of the Lockbit website and dozens of its servers—may have stoked enough anxiety in the ransomware market as a whole that AlphV decided now is a good time to lay low.
While the suspension of one of the most prolific ransomware groups may be good news for many, it’s less so for the affiliate and worse still for Change Healthcare.