By Nataly Vovk | Threat Intelligence Analyst

 Published on March 14th, 2024

The ALPHV/BlackCat infrastructure experienced its second shutdown since December 2023.

Key Takeaways

• On March 3, 2024, an ALPHV/BlackCat affiliate accused an operator on the RAMP cybercrime forum of embezzling a $22 million ransom from an attack on Change Healthcare Inc.
• The next day, an ALPHV administrator admitted to the service disruption on the Tox platform and promised resolution efforts.
• The administrator later revealed that the failure to distribute ransom proceeds was due to law enforcement action.
• On March 5, 2024, ALPHV announced the suspension of its operations and its intent to sell the ransomware source code for $5 million.
• On March 3, 2024, an affiliate of the ALPHV, also known as BlackCat Ransomware-as-a-Service (RaaS), raised a scam accusation on the RAMP cybercrime forum against an ALPHV operator.

The affiliate alleged that the operator pocketed a $22 million ransom payment for them following a ransomware attack on Change Healthcare Inc., a U.S.-based healthcare technology firm. Shortly after the payment was made, the affiliate’s RaaS account was reportedly suspended, and both the ALPHV RaaS affiliate management panel and the victim’s blog went offline.

Thank you for signing up, we'll be in contact soon.

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.

Subscribe

We respect your privacy and you can unsubscribe anytime.

The next day, an ALPHV administrator acknowledged the service disruption on the Tox messaging platform and stated that efforts were being made to resolve the issue.

Later, the administrator confirmed that they failed to distribute the ransomware attack proceeds with the affiliate due to law enforcement intervention.

On March 5, 2024, a seizure of ALPHV RaaS operations was announced on the RAMP forum, accompanied by a law enforcement seizure notice similar to one seen in December 2023.

Furthermore, ALPHV declared its operations suspended and intended to sell the ransomware’s source code for $5 million.

It was the second distraction caused by law enforcement from the ALPHV/BlackCat infrastructure. The first incident happened on December 19, 2023, an incident where a server hosting an ALPHV victim-shaming blog displayed a seizure notice from the FBI and Europol, confirmed later by the DOJ.

The seizure revealed the recovery of 946 key pairs and offered decryption solutions to approximately 500 victims. Despite law enforcement’s disruptions, ALPHV remained active, reporting many breaches in January and February 2024, respectively, and posting about alleged victims on its new blog until the second disruption on March 3, 2024.