BlackCat ransomware shuts down in exit scam, blames the "feds"

The BlackCat ransomware gang is pulling an exit scam, trying to shut down and run off with affiliates’ money by pretending the FBI seized their site and infrastructure. The gang announced they are now selling the source code for the malware for the hefty price of $5 million. On a hacker forum, ALPHV said that they decided "to close the project" because of "the feds," without providing additional details or a clarification. However, a national law enforcement agency listed on the seizure banner confirmed to BleepingComputer that they were not involved in any recent disruption of ALPHV infrastructure.

The ransomware gang started the exit-scam operation on Friday, when they took their Tor data leak blog  offline. On Monday, they further shut down the negotiation servers, saying that they decided to turn everything off, amid complaints from an affiliate that the operators stole a $20 million Change Healthcare ransom from them." Yesterday, the gang's status on Tox changed to 'GG' ('good game') - hinting at the end of the operation, and later to "selling source code 5kk," indicating that they wanted $5 million for their malware. In a message on a hacker forum shared by Recorded Future's Dmitry Smilyanets, the administrators of the operation said that they "decided to completely close the project" and "we can officially declare that the feds screwed us over. At the time of writing, the ALPHV leak site shows a fake banner announcing that the Federal Bureau of Investigation (FBI) seized the server in a “coordinated law enforcement action taken against ALPHV Blackcat Ransomware.

Rumors of a possible exit scam from ALPHV started when a longtime ALPHV partner, a so-called "Notchy," claimed that the gang had closed their account and robbed them of a $22 million payment from the ransom allegedly paid by Optum for the Change Healthcare attack.

Bleeping Computer 03/05/2024