• The Weekend Byte
  • Posts
  • ALPHV Walks Away with 22 Million Dollars From the Change Healthcare Attack

ALPHV Walks Away with 22 Million Dollars From the Change Healthcare Attack

Plus ALPHV's origin story.

I used to write about multiple cybersecurity topics in a single newsletter, but the ransomware drama is keeping pace with the latest season of Love is Blind.

So today, we’re digging into the complicated origins of ALPHV/BlackCat and how they just walked away with 22 million dollars following the attack that took down Change Healthcare.

-Jason

ALPHV / BlackCat
A Complicated Origin Story

ALPHV/BlackCat’s origin story is as confusing as a Game of Thrones family genealogy. I’ve strung together a general flow:

GandCrab → REvil → DarkSide → BlackMatter → ALPHV/BlackCat

Each of these is not a total rebrand. Many of these overlap and instead show the transfer of tooling and talent (affiliates, developers, etc.).

Let’s pull on each thread a bit more…

GandCrab (2018 - 2019): GandCrab had a good run but announced its retirement after claiming it earned over two billion dollars in ransom payments, which is almost certainly untrue. But, hey, a ransomware operator can dream.

REvil (2019 - 2021): There is some chatter that CandGrab rebranded to REvil, but it's also possible developers behind the RaaS switched teams. Or, at a minimum, it used the same code. REvil had a good run until July 2021, when they used a vulnerability in Kaseya’s VSA software to access hundreds of MSPs, leading to mass encryption of the MSPs’ clients’ systems. A few weeks later, the group’s servers went offline after a call between President Joe Biden and Russian President Vladimir Putin.

DarkSide (2020 - 2021): After REvil shutdown, affiliates and tactics popped up in DarkSide attacks. That didn’t last long, though. A DarkSide affiliate attacked Colonial Pipeline and wreaked havoc on the East Coast and America’s ability to get gas. The group shut down shortly after, claiming law enforcement seized their systems and crypto.

BlackMatter (2021 - 2021): It’s believed that after DarkSide collapsed, they rebranded to BlackMatter. After four short months the group announced their retirement due to mounting pressure from law enforcement.

ALPHV/BlackCat (2021 - 2024): Finally, we come to the star of the show. There are many links between ALPHV and the DarkSide / BlackMatter developers and money launderers. LockBitSupp, the operator behind the now almost defunct LockBit ransomware group, said that ALPHV was a rebrand of BlackMatter and DarkSide.

As I said, complicated. If you’re looking for a visual for all of this, look no further than this Family Guy clip. It’s ALPHV.

ALPHV / BlackCat
The 22 Million Dollar Exit Scam

If you recall, ALPHV has been on its last breath since December 2023, when law enforcement seized its servers. An epic battle ensued, which I covered in a prior newsletter. It’s well worth the read.

Fast forward a few months, and we’re watching ALPHV walk off with 22 million dollars. Here’s how it played out.

On February 21, 2024, an ALPHV affiliate attacked Change Healthcare (CHC), an Optum company, which is a United Healthcare company. Yeah, their origin story is about as complicated as ALPHV’s. I digress.

CHC makes software to help with billing and healthcare data exchanges for pharmacies and medical practices. It’s a wide network that includes:

  • 6,000 hospitals

  • 1 million+ physicians

  • 125K+ dentists

  • 39K+ pharmacies

  • 700+ laboratories

Many of CHC's services went down when that ALPHV affiliate encrypted its systems. Many Americans struggled to get insurance approval and instead had to pay full price for their prescriptions. It was bad. I would even go as far as to say it was the Colonial Pipeline for healthcare.

On March 1st, CHC purportedly paid a 22 million dollar ransom to receive a decryption key and stop the release of 4 TB of data the affiliate claims to have stolen. How do we know this? On March 3rd, the affiliate posted on a Russian hacking forum that ALPHV never paid them their cut of the ransom payment. Mmmhhh drama.

This disgruntled affiliate also dropped the payment address where CHC sent the ransom payment. Because it’s on the blockchain, we can see it all.

On March 1st, the wallet received 350 BTC valued at approximately 22 million dollars. Then on March 3rd, the wallet was emptied in seven equal transactions of 50 BTC, valued at just over 3 million dollars. As I’m writing this, all of the BTC remains in the wallets they were transferred to. So, the exit scam so far has not been successful.

Meanwhile, in ALPHV land, they were shutting down their servers. On March 5th, they commented on the same hacking forum that they decided to close the ransomware project and claimed “the feds screwed us over.” But did they?

ALPHV went as far as bringing their leak site back up and putting a fake seizure notice. Looked legit…but law enforcement denied involvement in a new takedown. More evidence that this is an exit scam.

To complicate matters further, the affiliate who was never paid still has a copy of the 4TB of stolen data.

And let’s not forget that ALPHV/BlackCat knows how to rebrand. Will we see a new well-funded group pop up in a few months?

News
What Else is Happening?

🐕️ PetSmart has dog food and cybersecurity prowess. They held a masterclass on responding to a credentials-stuffing attack by detecting, disabling impacting accounts, and notifying impacted customers. It’s a stark difference from 23anMe, who took a different approach to blaming users for poor password practices.

🍻 The Belgian Beer giant, Duvel Moortgat Brewery, halted their beer production after detecting a ransomware attack. The Stormous ransomware group claimed responsibility and threatened to leak 88 GB of stolen data if a ransom is not paid. The company could not give a clear answer on when production would resume but put everyone at ease to say they have enough stock, “so Duvel drinkers don’t have to worry.” Cheers.

🇺🇦 Ukraine continued its cyber guerilla warfare against Russia. This week, the Ukrainian Ministry of Defense released a press release touting its hack of the Russian Federation's Ministry of Defense. They stole data that allowed them to understand the complete structure (with names) of the Russian Ministry of Defense and its units.

💰️ The 2023 FBI Internet Crime Report is out. There were a record number of complaints, with potential losses exceeding $12.5 billion, a 22% increase from 2022. The highest losses stemmed from investment scams, with 4.57 billion in losses in 2023. Ouch.

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week!

Reply

or to participate.