In what is turning into a tumultuous period for the cyber criminal underground, the ALPHV/BlackCat ransomware crew has turned off its server infrastructure in an apparently self-imposed takedown, amid allegations that the group’s ringleaders had stolen millions of dollars from an affiliate that recently attacked an American healthcare services provider.
The takedown at first appeared to be the result of a coordinated takedown by law enforcement agencies, but according to Reuters, the National Crime Agency (NCA), which led on Operation Cronos, the recent takedown of the LockBit operation, no law enforcement action has occurred.
The waters were muddied still further by the emergence of a Sunday 3 March statement posted in broken English to one of the major underground forums by a supposed affiliate of ALPHV/BlackCat.
The poster claimed they had been working with ALPHV/BlackCat for a long time, and on 1 March received a $22m ransom payment from Minneapolis, Minnesota-based United Health Group, the parent of the ransomware-stricken Change Healthcare.
However, they said, after receiving the payment, the ALPHV/BlackCat team “decide to suspend our account and keep lying and delaying when we contacted ALPHV admin on Tox.”
They added: “He kept saying they are waiting ro [sic] chief admin and the coder until today they emptied the wallet and took all the money…. Be careful everyone and stop deal with ALPHV.”
“It’s important to emphasise that this is all speculation,” said Yossi Rachman, Semperis director of security research. “I do agree that it looks a little odd, because ALPHV might lose business over it. Then again, it’s not a bricks-and-mortar business so if they did decide to steal the money and run, they can just as easily set up a new business under a different name.
“Overall, no one outside of in the inner circles of ALPHV, their affiliate and Change Healthcare are privy to this information about who paid or did not pay. And you know what they say in the cyber security industry about there being no honour among thieves. So, nothing surprises me.”
WithSecure senior threat intelligence analyst Stephen Robinson echoed Rachman’s sentiment on taking anything at face value. “Any statement from cyber criminals is inherently untrustworthy, ALPHV appears to have gone offline, but we don’t know why,” he said.
“The claim regarding the affiliate payment is kind of interesting, but similarly untrustworthy. For a RaaS operation to work, the affiliates and the core group must trust each other, so ‘stealing’, or withholding payment from an affiliate would be very unusual. However, cyber criminals often make efforts to stay below the radar of law enforcement, and to avoid committing attacks which will have real world impacts leading to focused attention from international law enforcement.”
“The Change Healthcare compromise has had significant, long-lasting, real-world impact in the US. If ALPHV have refused to pay the affiliate who performed the attack and banned them from the operation, it could be because they think it was too high-profile an attack, or it broke the rules of the operation, whatever they are,” he said.
“It is possible that ALPHV are about to rebrand under a different name to avoid law enforcement attention, but that is just speculation.”
This would speak to ALPHV/BlackCat’s roots – similarly speculative for the most part – in the DarkSide operation which attacked Colonial Pipeline in 2021.
This attack, which cased real-world impact and disruption to fuel supplies across a swathe of the US, brought the issue of ransomware to global mainstream attention and led to big changes in Western policy.
It also resulted in a coordinated law enforcement operation against the gang, which recovered a significant proportion of the ransom Colonial Pipeline paid.
For victims, no relief
The gang’s alleged seizure of the payment supposedly made by Change Healthcare – whose parent has not confirmed whether or not it has paid any ransom – will come as little relief to an organisation that has faced – or still faces – an agonising decision.
“While it may be within the risk appetite for an entertainment company like MGM to refuse a ransom demand despite downtime is costing the organisation revenue, the decision not to pay a ransom likely will not put any lives at risk,” said Jon Miller, co-founder and CEO of anti-ransomware platform Halcyon.
“But what about a healthcare provider like Change Health who urgently requires access to systems because any delays could pose a risk to human life? In these cases, the decision on whether to pay a ransom demand is significantly more complicated.”
Speaking to the renewed debate on whether or not the payment of ransomware demands should be made illegal, Miller acknowledged both sides of the issue, saying that paying up swiftly could on occasion be the quickest way to restore operations, though at some risk, but that to do so clearly encouraged more attacks down the line.
For healthcare organisations, whether in the US’ private system or the NHS in the UK, the choice is even starker.
“Ransomware attacks against the healthcare system are increasingly impacting organisation’s ability to care for patients, and some studies have already found a direct link between ransomware attacks and increased patient mortality,” said Miller.
“One study found that 68% said ransomware attacks resulted in a disruption to patient care, and 43% said data exfiltration during the attack also negatively impacted patient care with 46% noting increased mortality rates, and 38% noting more complications in medical procedures following an attack,” he added.
However, he added, the debate over ransom payment bans does not really address the root cause of the issue, the vulnerability of the victim’s IT systems in the first place.
“If we can prevent these attacks from being successful, the ransom payment debate becomes moot,” he said.