Exit Scam: BlackCat Ransomware Group Vanishes After $22 Million Payout
7.3.24  Ransom  The Hacker News

The threat actors behind the BlackCat ransomware have shut down their darknet website and likely pulled an exit scam after uploading a bogus law enforcement seizure banner.

"ALPHV/BlackCat did not get seized. They are exit scamming their affiliates," security researcher Fabian Wosar said. "It is blatantly obvious when you check the source code of the new takedown notice."

"There is absolutely zero reason why law enforcement would just put a saved version of the takedown notice up during a seizure instead of the original takedown notice."

The U.K.'s National Crime Agency (NCA) told Reuters that it had no connection to any disruptions to the BlackCat infrastructure.

Recorded Future security researcher Dmitry Smilyanets posted screenshots on the social media platform X in which the BlackCat actors claimed that the "feds screwed us over" and that they intended to sell the ransomware's source code for $5 million.

The disappearing act comes after it allegedly received a $22 million ransom payment from UnitedHealth's Change Healthcare unit (Optum) and refused to share the proceeds with an affiliate that had carried out the attack.

The company has not commented on the alleged ransom payment, instead stating it's only focused on investigation and recovery aspects of the incident.

According to DataBreaches, the disgruntled affiliate – who had their account suspended by the administrative staff – made the allegations on the RAMP cybercrime forum. "They emptied the wallet and took all the money," they said.

This has raised speculations that BlackCat has staged an exit scam to evade scrutiny and resurface in the future under a new brand. "A re-branding is pending," a now-former admin of the ransomware group was quoted as saying.

Menlo Security, citing HUMINT sources with direct contact to the affiliate, described them as likely associated with Chinese nation-state groups. The affiliate, who goes by the name Notchy, is said to have engaged on ransomware-related topics in the RAMP forum as early as 2021.


BlackCat had its infrastructure seized by law enforcement in December 2023, but the e-crime gang managed to wrest control of their servers and restart its operations without any major consequences. The group previously operated under the monikers DarkSide and BlackMatter.

"Internally, BlackCat may be worried about moles within their group, and closing up shop preemptively could stop a takedown before it occurs," Malachi Walker, a security advisor with DomainTools, said.

"On the other hand, this exit scam might simply be an opportunity for BlackCat to take the cash and run. Since crypto is once again at an all-time high, the gang can get away with selling their product 'high.' In the cybercrime world, reputation is everything, and BlackCat seems to be burning bridges with its affiliates with these actions."

The group's apparent demise and the abandonment of its infrastructure come as malware research group VX-Underground reported that the LockBit ransomware operation no longer supports Lockbit Red (aka Lockbit 2.0) and StealBit, a custom tool used by the threat actor for data exfiltration.

LockBit has also tried to save face by moving some of its activities to a new dark web portal after a coordinated law enforcement operation took down its infrastructure last month following a months-long investigation.

It also comes as Trend Micro revealed that the ransomware family known as RA World (formerly RA Group) has successfully infiltrated healthcare, finance, and insurance companies in the U.S., Germany, India, Taiwan, and other countries since emerging in April 2023.

Attacks mounted by the group "involve multi-stage components designed to ensure maximum impact and success in the group's operations," the cybersecurity firm noted.