Recap: A few weeks ago, a Russian hacker group completely crippled a significant portion of the US healthcare sector. The group executed a ransomware attack on a nationwide healthcare management system run by Optum that handles patient accounts, including payment processing, prescription orders, and insurance claims. In addition to encrypting the system, AlphV claimed to have exfiltrated an unknown amount of data.
Last week, Optum allegedly paid AlphV (also known as Black Cat) to remove the ransomware and delete the stolen data. Although the company was tight-lipped about the incident, Blockchain's ledger shows seven $3,348,114 transfers made on Friday from the same account to seven different accounts. Less fees, the deposit was around $22 million. Optum declined to comment when asked if it paid AlphV.
On Sunday, an anonymous party seemingly confirmed the $22 million payment on a dark web forum. The group said it partnered with AlphV to exfiltrate 4TB of data. It further contends that AlphV drained the illicit account and ghosted the group. Therefore, it held onto the information rather than deleting it.
#ALPHV scamming affiliates? $22M paid and withdrawn pic.twitter.com/0ocKoXNLme
– �*��-'�-��-��--�-� �*��-'�-��-'�-��-��-"�-��-��-� (@ddd1ms) March 4, 2024
According to the group, it has "critical data" that Optum was worried about leaking, prompting it to pay the ransom. Although it does not precisely clarify what the 4TB cache contains, the group says it belongs to more than dozens healthcare providers and insurance companies, including Medicare, CVS-Caremark, Loomis, and Metlife.
On Tuesday, AlphV's dark website began displaying a seizure notice. The group appeared to have been stung by the FBI and other foreign agencies. The FBI declined to comment on the takedown, which is not unusual, especially if the operation involves multiple hacker groups. However, the seizure message listed the UK's National Crime Agency, which said it had nothing to do with a takedown of the group.
Later, researchers looking into the alleged seizure found that the page appeared to have been copied from a different AlphV website seizure and pasted into its current. Independent ransomware research firm Emisoft confirmed that what the anonymous group had said on Sunday was true.
An image URL like this is what Firefox and the Tor Browser create when you use the "Save page as" function to save a copy of a website to disk. This is what the logo URL in the real takedown notice looks like. pic.twitter.com/aTHA49ItyO
– Fabian Wosar (@fwosar) March 5, 2024
"Since people continue to fall for the ALPHV/BlackCat cover up: ALPHV/BlackCat did not get seized," said Emisoft Head Researcher Fabian Wosar. "They are exit scamming their affiliates. It is blatantly obvious when you check the source code of the new takedown notice."
According to Wosar, the page's source code showed evidence that someone had copied the notice using the File > Save page command in the Tor browser. The copied source originated from a different AlphV site the FBI previously shut down. The counterfeiter then inserted the code into AlphV's current dark website. Since Wosar's discovery, the perpetrator has erased that evidence, even further indicating AlphV is faking its demise at the hands of the Feds.
There's a cloud of uncertainty hanging over what AlphV might do next. Speculation asserts that the group, now flush with cash, might lay low for a while. However, it will likely just reorganize and emerge on the dark web under a different name – a common practice with hacker groups feeling threatened by authorities. It's unknown what the jilted hacker team will do with its 4TB of data.
https://www.techspot.com/news/102157-ransomware-group-scams-partner-out-share-22-million.html
