iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
ALPHV has proven once again that literally nobody is safe from its antics, after the threat group shut down its servers following claims it had scammed one of its affiliates out of $22 million.
As observed by Cyber Daily, the threat group’s (which also goes by BlackCat) blog is now offline, and it has been since Friday, according to other publications.
Its negotiation sites are also reportedly now down.
According to BleepingComputer, ALPHV published a message on the Tox messaging platform it uses to discuss ransom with victims, which simply said, “Все выключено, решаем,” meaning “Everything is off, we decide.” Now, the group’s status message just says “GG”.
The outage comes after the ALPHV affiliate responsible for the attack on Change Healthcare’s operator, Optum, claimed to have been scammed by the threat group, saying it had been banned from the operation and had the $22 million ransom payment paid by Optum stolen.
“We are affiliate plus who has been work with ALPHV for long time and on 1st of March 2024 the victim Change Healthcare – OPTUM paid ALPHV 22M as ransom to prevent data leakage and [to access a] decryption key,” the affiliate wrote in a message seen by cyber security researcher Dmitry Smilyanets of Recorded Future.
“But after receiving the payment ALPHV team decide to suspend our account and kee[p] lying and delaying when we contacted ALPHV admin on TOX.
“He kept saying they are waiting for chief admin and the coder until today [when] they emptied the wallet and took all the money.”
Typically, ransom payments are split between threat groups and their affiliates, with the larger operation getting a cut for providing the infrastructure for the attack.
As tragic as it is that ALPHV has backstabbed its own affiliate and literal partner in crime, don’t get too sympathetic just yet. Not only is Change Healthcare the real victim, but as the ransom payment was stolen, the affiliate has held onto the stolen data and not provided the company with a decryptor.
“Sadly for the target Change Healthcare – OPTUM, their data [is] still with us,” it added.
“4TB of the critical data, the same data they were worried if it got leaked.”
To prove that it had been paid, the ALPHV affiliate, who goes by the name “notchy”, shared a cryptocurrency payment address that showed nine transactions, with the initial transaction being a deposit of 350 bitcoins (roughly US$23.8 million or A$36.6 million) followed by eight outgoing transfers.
Alongside the deposit, the address has only one other transaction, which was sending the funds to ALPHV.
It is unlikely anyone is going to step in and help the affected affiliate get its money back, being a criminal operation itself. It’s also hard to say how long ALPHV will be offline and whether or not its most recent activity will once again attract the attention of law enforcement.
Since paying the ransom, Change Healthcare and its parent company, UnitedHealth, have stayed quiet, with no statement on the recent happenings.
This incident proves once again the sentiment that paying a ransom, while seeming like a simple and often cheaper solution to a cyber attack, is not the answer, as it requires putting a company’s trust in criminals to delete and decrypt data. It also paints a target on organisations, as it proves they are willing to fork out money.
Be the first to hear the latest developments in the cyber industry.
