The threat actors guiding the BlackCat ransomware have shut down their darknet internet site and likely pulled an exit scam following uploading a bogus legislation enforcement seizure banner.
“ALPHV/BlackCat did not get seized. They are exit scamming their affiliates,” security researcher Fabian Wosar explained. “It is blatantly clear when you verify the supply code of the new takedown see.”
“There is completely zero motive why law enforcement would just put a saved version of the takedown notice up during a seizure rather of the primary takedown see.”

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The U.K.’s Countrywide Criminal offense Agency (NCA) explained to Reuters that it experienced no relationship to any disruptions to the BlackCat infrastructure.
Recorded Long term security researcher Dmitry Smilyanets posted screenshots on the social media platform X in which the BlackCat actors claimed that the “feds screwed us more than” and that they intended to provide the ransomware’s resource code for $5 million.
The disappearing act will come following it allegedly received a $22 million ransom payment from UnitedHealth’s Modify Health care device (Optum) and refused to share the proceeds with an affiliate that experienced carried out the attack.
The organization has not commented on the alleged ransom payment, rather stating it truly is only concentrated on investigation and recovery facets of the incident.
According to DataBreaches, the disgruntled affiliate – which experienced its account suspended by the administrative staff – manufactured the allegations on the RAMP cybercrime discussion board. “They emptied the wallet and took all the income,” they reported.
This has raised speculations that BlackCat has staged an exit fraud to evade scrutiny and resurface in the future below a new brand. “A re-branding is pending,” a now-previous admin of the ransomware team was quoted as stating.
BlackCat experienced its infrastructure seized by regulation enforcement in December 2023, but the e-crime gang managed to wrest handle of their servers and restart its operations without any significant effects. The group previously operated underneath the monikers DarkSide and BlackMatter.
“Internally, BlackCat could be apprehensive about moles within just their group, and closing up shop preemptively could quit a takedown just before it takes place,” Malachi Walker, a security advisor with DomainTools, stated.
“On the other hand, this exit rip-off may well simply be an chance for BlackCat to take the cash and run. Due to the fact crypto is when once more at an all-time large, the gang can get away with marketing their item ‘high.’ In the cybercrime environment, name is almost everything, and BlackCat appears to be to be burning bridges with its affiliates with these actions.”
The group’s evident demise and the abandonment of its infrastructure arrive as malware investigate group VX-Underground claimed that the LockBit ransomware operation no extended supports Lockbit Purple (aka Lockbit 2.) and StealBit, a custom software utilised by the danger actor for information exfiltration.
LockBit has also tried to preserve confront by moving some of its actions to a new dark web portal soon after a coordinated law enforcement operation took down its infrastructure last thirty day period just after a months-extensive investigation.
It also comes as Pattern Micro uncovered that the ransomware household regarded as RA Entire world (formerly RA Team) has properly infiltrated health care, finance, and insurance policy businesses in the U.S., Germany, India, Taiwan, and other international locations considering that emerging in April 2023.
Attacks mounted by the team “involve multi-stage elements made to make sure greatest affect and achievements in the group’s functions,” the cybersecurity organization noted.
Discovered this write-up intriguing? Abide by us on Twitter and LinkedIn to examine extra distinctive content material we post.
Some parts of this post are sourced from:
thehackernews.com