Another leading ransomware gang appears to have folded to international law enforcement pressure, as BlackCat has closed up shop roughly three months after having infrastructure seized by an FBI-led coalition. The group has chosen to burn bridges on its way out, however, pulling an exit scam on its remaining affiliates.
That includes whoever was behind the $22 million robbery of Change Healthcare, which caused patients to lose access to medications covered by their insurance. Complaints on dark web forums about not receiving payment from BlackCat were quickly followed by affiliate account closures, and the group has since posted a farewell message and said that it has sold off its source code.
BlackCat tries to cover exit scam with claim of second law enforcement raid
Over the last three years, it has become very common for international law enforcement to target the biggest ransomware gangs and disrupt their operations. This almost always ends with the dissolution of the gang, but the mostly Russia-based members are left to scatter and start over under new brand names. Things may be a little different this time if the former members are connected to BlackCat, after the audacious exit scam left affiliates high and dry.
BlackCat was certainly a prime target for special law enforcement attention. The group went on a spree in 2023 and was one of the most profitable and active ransomware gangs in the world, also participating in the sort of attacks that get reported on the nightly news rather than cybersecurity magazines. That includes the recent attack on Change Healthcare, which had serious real-world repercussions for patients, and the attack on MGM last year that threw its hotels on the Vegas Strip and in other tourism destinations into disorder for an extended period.
Some members of BlackCat have had a long run, thought to also have been former members of the BlackMatter and DarkSide ransomware gangs. They may have decided to cash out once and for all with this exit scam, taking advantage of very high crypto prices.
Ransomware gang remained active until March 1
After the December law enforcement operation, the group quickly replaced its lost infrastructure and continued with business as usual throughout January and February. The exit scam appears to have initiated with the start of March. The Change Healthcare payment was reportedly made that day, and within two days the affiliate complained the ransomware gang was not paying its cut out and not responding to messages.
Just after the complaints began rolling in on dark web forums, the group posted that it would be going out of business due to another law enforcement raid. However, inspection of the alleged new takedown notice at its data leak site reveals that it has been recycled from the page that was previously used in December. Though the group is very obviously trying to cover its exit scam with a fake law enforcement action, it did also say that it had sold off the source code for its ransomware for $5 million.