ALPHV-BlackCat ransomware group goes dark

While the LockBit gang struggles to keep affiliates, the ALPHV group kicks theirs to the curb. ALPHV has gone dark after receiving what appears to be a $22 million ransom payment from Optum, the operator of the Change Healthcare platform knocked offline by a ransomware attack in early February.  Optum is a subsidiary of UnitedHealth Group (UHG), a health insurance provider with a massive footprint across the United States. You can find the UHG cyber response information here.

Who and what is ALPHV?

ALPHV is also referred to as BlackCat or ALPHV/BlackCat, depending on who’s doing the talking. Security researchers named this threat BlackCat due to the image of a black cat on the group’s ransom payment site.  The developer and fellow threat actors refer to the group as ALPHV. You will often see security notifications and alerts using a combination of the two names. You may also see ALPHV referred to as Ransom.Noberus (Noberus), which is how Symantec analysts track this threat. Whatever you call it, it’s all the same for now.

Researchers from @MalwareHunterTeam first observed ALPHV on November 21, 2021. They shared their research on X (formerly Twitter) and with Bleeping Computer, which called it “this year's most sophisticated ransomware.” Details of the advanced capabilities can be found here.

ALPHV operates as a Ransomware-as-a-Service (RaaS), which means fellow threat actors can become affiliates by purchasing access to ALPHV ransomware, infrastructure, and other resources. ALPHV affiliates conduct attacks, while ALPHV focuses on affiliate support, ransomware development, and business expansion.

Affiliates loved ALPHV when it burst on the scene in 2021. ALPHV was a generous RaaS, offering unique ransom and data breach sites per victim, improved negotiation tools, and up to 90% of a collected ransom. It was also a mature ransomware built from the ground up using the Rust language, which improved attack performance.  ALPHV attacks would sometimes use “triple extortion” to increase the pressure on the victims. Most ransomware gangs threaten double extortion through encryption and stolen data. Triple extortion attacks take this further and threaten a distributed denial of service (DDoS) attack on the victims who do not pay.  This gave ALPHV an edge with affiliates who wanted that option.

In September 2023, the U.S. Federal Bureau of Investigation (FBI) reported that ALPHV had compromised over 1,000 victims and collected nearly $300 million in ransom. That’s a significant jump from roughly 60 victims in March 2022. ALPHV had become one of the most prolific RaaS threat actors, second only to LockBit. Law enforcement responded with an international disruption campaign that led to the seizure of ALPHV/BLackCat websites and some of the decryption keys needed by victims. 

ALPHV moved operations to another location and announced new rules of conduct:

"As you all know, the FBI got the keys to our blog … Because of their actions, we are introducing new rules, or rather removing ALL the rules except one, you can not touch the CIS, you can now block hospitals, nuclear power plants, anything and anywhere."

The statement about the CIS is unsurprising. CIS is the Commonwealth of Independent States, consisting of former members of the Soviet Union. ALPHV is a Russian-speaking group that has a history with other Russian threat actors. Attacking CIS member states might trigger a response from local law enforcement, making operations more difficult for CIS-based threat actors. And although ALPHV always said they restrict attacks on certain entities, this is only enforced during affiliate registration. In an interview with Dmitry Smilyanets of Recorded Future, ALPHV clarified the healthcare restrictions:

“We do not attack state medical institutions, ambulances, hospitals. This rule does not apply to pharmaceutical companies, private clinics.”

Whatever was going on with their rules, this group hit the U.S. health sector hard. In early 2023, the U.S. Health Sector Cybersecurity Coordination Center (HC3) named ALPHV/BlackCat one of the most aggressive and sophisticated threats to the health sector. This is one of the reasons it was such a high-priority target for law enforcement agencies. 

ALPHV was back online and operational shortly after the FBI disruption.

Notable Attacks

ALPHV has targeted victims in multiple countries and across several economic sectors. Solar Industries India, NJRC, Montcler, Creos Luxembourg S.A., and Swissport International A.G. are among the many victims of 2022-2023.

Victims with higher brand recognition include MGM Resorts, McClaren Health Care, and Lehigh Valley Health Network. The Change Healthcare operator mentioned above is the most recent and widely covered victim of ALPHV. This attack preceded a significant change for the group. ALPHV collected a $22 million ransom from Change Healthcare but never paid the affiliate who conducted the attack. This affiliate shared the news on the crime forums:

ALPHV eventually responded:

“Yes, we knew about the problem, and we were trying to solve it. We told the affiliate to wait. We could send you our private chat logs where we are shocked by everything that’s happening and are trying to solve the issue with the transactions by using a higher fee, but there’s no sense in doing that because we decided to fully close the project. We can officially state that we got screwed by the feds.”

Change Healthcare has neither confirmed nor denied the ransom payment, and there have been no reports of new ransom demands by “Notchy,” who claims to have the victim’s data. Many analysts speculate that ALPHV had been planning an exit strategy, and this big payout was all it needed to close shop. ALPHV is reported to be in negotiations to sell its source code.

ALPHV family tree

We can trace ALPHV’s origins to GandCrab, which shut down voluntarily in 2019. This group rebranded to REvil and operated until FBI disruption in 2021. It’s not accurate to say that REvil rebranded to Darkside, but many of the affiliates and tactics from REvil showed up in Darkside attacks. Due to the similarities across the operation, Darkside operators were thought to be former REvil operators. Darkside ended its operations shortly after its 2021 attack on Colonial Pipeline.

The group became active again as BlackMatter but only operated for a few months under that name. Our old friend LockBitSupp ‘outed’ BlackCat as a rebrand of BlackMatter / Darkside. 

Conclusion

Like Royal and LockBit, ALPHV/BlackCat is a mature ransomware operator. Brands splinter, strains evolve, and developer-operators move forward with all their knowledge and experience. Law enforcement and the cybersecurity communities are doing their best to stop them. And unlike RaaS operators who steal from their affiliates, the good guys benefit from unprecedented cooperation between international law enforcement agencies and robust signal sharing between cybersecurity vendors.

Ransomware will always look for new ways into your system, and your best defense is to defend every threat vector with a comprehensive cybersecurity platform.  Visit our website to see our complete cybersecurity platform and build your ransomware protection plan.