Ransomware group scams its associate out of a share of $22 million by faking an FBI takedown


Recap: A couple of weeks in the past, a Russian hacker group utterly crippled a good portion of the US healthcare sector. The group executed a ransomware assault on a nationwide healthcare administration system run by Optum that handles affected person accounts, together with fee processing, prescription orders, and insurance coverage claims. Along with encrypting the system, AlphV claimed to have exfiltrated an unknown quantity of knowledge.

Final week, Optum allegedly paid AlphV (often known as Black Cat) to take away the ransomware and delete the stolen knowledge. Though the corporate was tight-lipped in regards to the incident, Blockchain’s ledger reveals seven $3,348,114 transfers made on Friday from the identical account to seven totally different accounts. Much less charges, the deposit was round $22 million. Optum declined to remark when requested if it paid AlphV.

On Sunday, an nameless occasion seemingly confirmed the $22 million fee on a darkish internet discussion board. The group mentioned it partnered with AlphV to exfiltrate 4TB of knowledge. It additional contends that AlphV drained the illicit account and ghosted the group. Subsequently, it held onto the knowledge fairly than deleting it.

In response to the group, it has “important knowledge” that Optum was nervous about leaking, prompting it to pay the ransom. Though it doesn’t exactly make clear what the 4TB cache accommodates, the group says it belongs to greater than dozens healthcare suppliers and insurance coverage firms, together with Medicare, CVS-Caremark, Loomis, and Metlife.

On Tuesday, AlphV’s darkish web site started displaying a seizure discover. The group appeared to have been stung by the FBI and different international companies. The FBI declined to touch upon the takedown, which isn’t uncommon, particularly if the operation entails a number of hacker teams. Nonetheless, the seizure message listed the UK’s Nationwide Crime Company, which mentioned it had nothing to do with a takedown of the group.

Later, researchers wanting into the alleged seizure discovered that the web page appeared to have been copied from a special AlphV web site seizure and pasted into its present. Impartial ransomware analysis agency Emisoft confirmed that what the nameless group had mentioned on Sunday was true.

“Since folks proceed to fall for the ALPHV/BlackCat cowl up: ALPHV/BlackCat didn’t get seized,” mentioned Emisoft Head Researcher Fabian Wosar. “They’re exit scamming their associates. It’s blatantly apparent if you verify the supply code of the brand new takedown discover.”

In response to Wosar, the web page’s supply code confirmed proof that somebody had copied the discover utilizing the File > Save web page command within the Tor browser. The copied supply originated from a special AlphV website the FBI beforehand shut down. The counterfeiter then inserted the code into AlphV’s present darkish web site. Since Wosar’s discovery, the perpetrator has erased that proof, even additional indicating AlphV is faking its demise by the hands of the Feds.

There is a cloud of uncertainty hanging over what AlphV would possibly do subsequent. Hypothesis asserts that the group, now flush with money, would possibly lay low for some time. Nonetheless, it’s going to possible simply reorganize and emerge on the darkish internet underneath a special identify – a typical apply with hacker teams feeling threatened by authorities. It is unknown what the jilted hacker crew will do with its 4TB of knowledge.





Source link