Following a series of outages that disrupted the US healthcare system, United Healthcare’s subsidiary, Change Healthcare, opted to settle a ransom with a BlackCat/ALPHV ransomware affiliate after a breach on February 23. Despite hopes for resolution, the payment did not mark the end of the incident. Experts believe this attack on Change Healthcare, and the broader US healthcare system, may indicate BlackCat administrators’ plan to secure a final large payment before discontinuing their brand and infrastructure.

In the wake of a $22 million ransom payment to a Bitcoin wallet by Change Healthcare, allegations emerged on the Dark Web accusing BlackCat administrators of seizing the entire sum, excluding their affiliates. A disgruntled affiliate claimed to still hold 4TB of sensitive data from partners like CVS-Caremark, Health Net, and MetLife, threatening its release unless compensated as promised. This has raised warnings against collaboration with ALPHV.

BlackCat’s operational stability has been questionable since law enforcement seized its servers in December, impacting its infrastructure despite efforts to recover. This apparent theft of the ransom payment by BlackCat’s administrators might signify the group’s end, reflecting a rare instance of internal betrayal among Russian ransomware circles, potentially seen as a strategic move to rebrand and restart anonymously.

Recently, BlackCat announced the shutdown of its leak site and offered its RaaS source code for sale, marking a significant shift from its usual operations and suggesting a possible exit scam. This move, framed as another law enforcement interference, aims to mitigate backlash from affiliates and indicates a lack of future plans for the gang in its existing form.

Factors like Bitcoin’s value peak or geopolitical influences, such as Russia’s interest in Ukraine, might have motivated BlackCat’s decisions. This scenario underscores attempts to destabilize BlackCat’s operations, highlighting the importance of reputation and credibility in the cybercrime community. Change Healthcare, focusing on ongoing investigations, faces challenges in navigating the repercussions of this complex cybercrime landscape.