BlackCat Goes Dark After Ripping Off Change Healthcare Ransom

Source code fire sale, stiffing affiliates — are BlackCat admins intentionally burning their RaaS business to the ground? Experts say somethings up.

After days of outages that have caused chaos across the US healthcare system, United Healthcares Change Healthcare subsidiary decided the best bet was to pay off the BlackCat/ALPHV ransomware affiliate that breached its systems on Feb. 23. Unsurprisingly, paying the extortion didnt provide the tidy end to the cyber incident that the healthcare technology services provider hoped it would.
Experts speculate its possible that the
Change Healthcare ransomware attack
, and by association the US healthcare system more broadly, is wrapped up in a potential exit strategy for the BlackCat admins — who are burning affiliate bridges and going after one last big payday before abandoning their brand and existing infrastructure altogether.
After
Change Healthcare reportedly deposited $22 million in a Bitcoin wallet
as a ransomware payment, BlackCat admins were accused on the Dark Web of swooping in and grabbing all the cash for themselves, cutting their affiliates out of their part of the loot.
A message posted on a Dark Web site from a disgruntled affiliate for the ransomware-as-a-service (RaaS) gang, claiming to be responsible for the Change Healthcare ransomware breach, said they were still in possession of 4TB of critical data that includes stolen information from Change partners CVS-Caremark, Health Net, MetLife. The message threatened to leak it if BlackCat didnt deliver the cut that the affiliate was promised. The post concluded with a warning to other would-be affiliates: Be careful everyone and stop dealing with ALPHV.
BlackCats RaaS business has been on shaky footing ever since its
servers were seized by law enforcement
last December, compromising the groups entire infrastructure.
BlackCat was able to recover
and stand up new servers, but nonetheless, law enforcement had access to its code.
If true, BlackCat admins stealing the $22 million Change Healthcare ransom payment would represent a cutthroat betrayal that could indeed signal the end of BlackCat, according to Ferhat Dikbiyk, head of research at Black Kite.
An exit scam is quite common in black markets, but not so common between Russian ransomware groups, Dikbiyik says. Yet, in the digital shadows, such a move could be likened to a rebranding effort, a chance to slip away from the limelight and re-emerge with a clean slate.
Now, BlackCat has shuttered its leak site and put its RaaS source code up for sale for $5 million for anyone whos interested, it announced by way of its Tor chat over the past day or so. Its stunning reversal after a
string of high-profile attacks
, and doubly so given BlackCats position as the
top ransomware gang
now that
LockBit has been sidelined by a law-enforcement action
.
By way of explanation, the
ransomware gang is blaming the feds for interfering again
with its business. But experts including Nic Finn, a senior threat intelligence consultant at GuidePoint Security, dont see any evidence that the BlackCat servers were shut down by law enforcement this time around.
Theres a lot of speculation that BlackCat is initiating an exit scam, in which they steal the ransom payments from their affiliates before shutting down their infrastructure and breaking communications, Finn says. Their decision to make it look like its another FBI takedown would help them delay any negative response from their affiliates in the interim.
After all, building a base of reliable affiliates is the secret sauce that makes the RaaS business happen. And publicly burning an affiliate would certainly deter prospective partners from getting involved with BlackCat, indicating the admins dont seem to have many future plans for the business in its current form.
Malachi Walker, security advisor with DomainTools, pointed out in an emailed statement that its possible that BlackCat admins decided to cash out of the business and rip off affiliates at this time because the value of Bitcoin is hitting all-time highs.
Or, Ukraine is another possible reason BlackCat leadership is ready to cash out, Walker added.
Another possibility is that this exit scam is a result of Russia tapping BlackCat on the shoulder and telling them to quit their side hustle and pivot attention to leverage their ransomware capabilities in the war against Ukraine, Walker said. Whatever the case may be, these actions by BlackCat are of great interest.
Regardless of who exactly is behind the BlackCat moves, Ariel Parnes, COO and co-founder of Mitiga, said the evidence shows there is undeniably effort being made to destabilize the BlackCat ransomware operation.
While it might appear that BlackCat has voluntarily ceased its activities, a closer examination suggests a more complex scenario, Parnes says. The simultaneous deactivation of their servers, coinciding with the allegations of defrauding their associates, hints at a potentially expansive effort to undermine BlackCats standing.
And while honor among thieves is usually in short supply, in the cybercrime world, brand is everything.
The operational sustainability of such cybercriminal entities heavily relies on their credibility within their clandestine ecosystem, Parnes adds. A compromise to their reputation could critically weaken their operational foundation, posing an existential threat.
Change Healthcare meanwhile said in a statement to Dark Reading, We are focused on the investigation.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
BlackCat Goes Dark After Ripping Off Change Healthcare Ransom