The Erosion of Trust: BlackCat/ALPHV $22 Million Exit Scam


March 6, 2024

World map

The ALPHV/BlackCat ransomware gang has allegedly closed up shop and taken servers offline in what is being characterized as an exit scam that cuts affiliate attackers out of their share of a purported $22 million ransom payment from recent victim Change Healthcare.

While BlackCat's data leak blog has been down since Friday, BleepingComputer had confirmed that negotiation sites were still active over the weekend. Today, BleepingComputer confirmed the ransomware operations negotiation sites are now shut down as well, indicating a further deliberate take down of the ransomware gang's infrastructure,” BleepingComputer reports.

"This decision may be related to claims from someone describing themselves as a longtime ALPHV/BlackCat affiliate responsible for the attack on (Change Healthcare), who said that ALPHV banned them from the operation and stole a $22 million ransom...”

Takeaway: In early December, reports circulated that law enforcement may have been the cause of a website outage impacting the BlackCat/ALPHV ransomware gang’s leaks site.

The U.S. government also announced a bounty of as much as $15 million for information leading to the BlackCat/ALPHV operators and affiliates, so it seemed the heat was on for the criminal syndicate.

The takedown attempt appeared to have failed as the group appeared to have regained control of the websites, then claimed responsibility for attacks on Trans-Northern Pipelines, Prudential Financial, LoanDepot, and finally an attack against Change Healthcare.

Now researchers suggest that a $22 million Bitcoin blockchain transaction is potentially evidence that the BlackCat/ALPHV ransomware gang may have hit a big payday from their attack against Change Healthcare.

It seems that the BlackCat/ALPHV platform operators may be trying to use the law enforcement activity that began in December as a cover for an exit scam designed to deny the affiliate attackers who participated in the Change Healthcare attack out of their share of a potential $22 Million payday.

Ransomware is a business model, and a very lucrative one at that. Ransomware-as-a-Service (RaaS) platforms are more or less run like legitimate Software-as-a-Service (SaaS) companies, with R&D, departments, tech and negotiation support, and more.

The affiliate programs generally run like channel sales programs in legitimate SaaS companies. The affiliates are partners who carry out attacks using the RaaS platform and the RaaS providers take a cut and payout a percentage to the affiliates.

If BlackCat/ALPHV is pulling an exit scam to defraud their affiliates of their portion of the purported $22 million ransom take from the Change Healthcare attack, this would be the equivalent of a major SaaS company screwing their channel partners out of their share of a sale from a big enterprise account.

If a legitimate SaaS company were to pull something like this, it would obviously cause a great deal of turmoil not just for the company and its channel partners, but it would also have a ripple effect across the entire channel sales sector.

That is what we see now. It’s not just the BlackCat/ALPHV affiliates who are upset by the RaaS developer's actions, affiliate attackers working with other RaaS providers are also understandably nervous about the stability of their business relationships.

It’s obvious that putting trust in known criminals is risky, and no doubt affiliates are more than aware of the caliber of people they are entering into business relationships with, but for the most part the model worked well and both RaaS providers and the affiliates made it work.

While the potential fallout from this distrust is hard to predict, it has no doubt created a lot of distrust between affiliates and RaaS providers, and this breakdown of trust could spill over into operations.

Studies have shown that companies who pay ransomware attackers for a decryption key often don’t get all their data back, or data is corrupted, or the attackers still leak/sell stolen data, or that the company is soon attacked again and often by the same attackers.

Given the breakdown of trust at the top of such a prolific and high-profile operation such as BlackCat/ALPHV, we may see that breakdown of trust move down the chain and more victims find they cannot reliably trust the attackers to follow through with promises made in the ransom negotiation process.

While the debate rages on about whether or not to ban ransom payments, highly publicized exit scams like this that break down trust in the partnership aspect of the ransomware business model might also work to undermine victim confidence and result in less ransom payments.

In the meantime, we can only hope that as trust continues to erode, the whole Ransomware-as-a-Service model self-destructs.  

While that would likely not put an end to all ransomware attacks, it certainly would reduce the number of potential attackers to those with the requisite skillsets to develop and maintain attack infrastructure and payloads, which represents just a fraction of the potential attackers we are seeing today. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.