image of breaking badness
Breaking Badness
Breaking Badness

Breaking Badness Cybersecurity Podcast - 183. BlackCat’s Out of the Bag

Coming up this week on Breaking Badness: AlphV Back and Gold, Guidance, and Grievances.


This week on the Breaking Badness Cybersecurity Podcast, we are dedicating the entire episode to talking about all things AlphV (aka BlackCat). Joining Kali Fencl are colleagues Ian Campbell and Austin Northcutt. We’ll look at the background on the group along with some history of critical infrastructure organizations being popped by paying ransoms. 

Let’s start with what happened in the Change Healthcare attack including the impact to the company

  • Around or on February 21st, Change Healthcare, which is the largest payment exchange platform in the US healthcare system, started warning customers that some of its services had become unavailable and then later stated that a cybersecurity incident had caused it
    • Change Healthcare has about 30 to 50% of the market share in terms of US health records, so AlphV didn’t just breach a small company – this is massive 
  • The next day, Change Healthcare’s parent company, UnitedHealth Group, submitted an 8K filing with the SEC, which is basically a formal notice of a cyber security incident with potential impact
    • It confirmed, yes, there was a cyber attack behind the disruption of Optum, who is a client of Change Healthcare services 
  • UnitedHealth Group initially indicated the breach was carried out by a state sponsor threat actor, or that they believed it to be the work of a state sponsored actor
    • However, in the days to follow, AlphV, or the BlackCat ransomware group, claimed responsibility for the breach via their data leak site, claiming they’d exfiltrated six terabytes of data from change health care’s network
    • Fast forward a few days, Change Healthcare reportedly paid AlphV a 22 to 23 million dollar ransom in exchange for the threat actors promise to delete the exfiltrated data

Let’s next discuss some circumstances around the AlphV exit

  • Within days of collecting the ransom from Change Healthcare, the operators of AlphV ransomware-as-a-service began making claims that their infrastructure had once again been seized by federal law enforcement agencies
  • They put up a banner on their website, similar to what you see when there is a legitimate law enforcement takedown of ransomware infrastructure
  • Plausible suspicions of a possible exit scam from AlphV started first when international law enforcement agencies promptly denied being involved in any recent disruption of AlphV infrastructure (emphasis on the word recent because they took credit for a previous disruption), but then some suspicions increased even more after a while
  • An AlphV affiliate claimed that the gang had closed their account within AlphV’s affiliate panel and then robbed them of the $23 million payment from the ransom that was allegedly paid
    • It seems that the AlphV affiliate that stole the data from Change Healthcare got scammed
    • And that’s really where everyone started to see that they were trying to take the money and run

We’ve seen theories on what prompted the exit, and we’ve had our own Malachi Walker share his lots with various industry pubs, but Ian and Austin have some theories to share as well

  • Ian’s theories:
    • They’ve got a history of shutting down and rebranding, so his guess would be it’s going to be something along those lines
    • If they’re smart, they’ll actually take the money and run because they’ll have to do a lot of running considering how many people they just made angry
    • Ian also has a theory we haven’t’ seen a lot of coverage on and it comes from a direct reading of the Department of Justice (DOJ) affidavit from their December takedown
      • For those who don’t know, AlphV was actually the subject of international law enforcement action in December that took down their website for a while
      • Reading the affidavit for part of that take down was really interesting because someone basically handed them relevant encryption keys
      • It sounded like they might have actually handed it to them physically handed it to the FBI physically on a flash drive or that’s just where they stored it
      • Those encryption keys allowed the decryption and insight into over 900 black hat tour sites
      • There’s a lot of references to a confidential human source whose entry method was to just apply for black cat affiliate status and they were technical enough that once they were brought into the affiliate portal they were able to pull a lot more information – there’s no deep information on that human source though
      • The DOJ was able to track down a fair amount of their communications infrastructure disrupted it and posted a seizure splash splash page on AlphV’s website and it involved a bunch of US and international law enforcement agencies 
      • AlphV reinstated its network a few days later and in revenge removed restrictions on its affiliates from attacking critical infrastructure in hospitals, which is what led to the rash of hospital hits, including Change Healthcare
      • One of the interesting things is that AlphV has a lot of connections to Scattered Spider, especially for initial entry into networks. Scattered Spiders’ actors specialize in social engineering and initial breach reports in November indicated that the FBI had deep intel on Scattered Spider, including their identities, but we’re holding back 
      • In hindsight, it’s kind of interesting to wonder if they held back purposely to further inform their operation directly against AlphV
      • So at this point, this all sort of wraps up in Ian wondering if AlphV is worried about people who know too much, and the fact that they won’t be able to secure their organization at this point because of both the heat and because they’ve probably ticked off a fair amount of people with enough technical information to get them in hot water
      • If someone’s handing over all the private encryption keys to your kingdom you’ve made someone mad that has a lot of access
  • Austin’s theories:
    • Hitting a critical industry sector is, as we’ve learned, not a good idea, or it’s a really good way to get yourself in the crosshairs of the FBI or international law enforcement agencies
    • What’s interesting is that AlphV has links actually to Darkside or Blackmatter ransomware-as-a-service that was previously identified as kind of a successor to both of those ransomware operations
      • In May of 2021, we saw the Darkside ransomware variant being used in the attack that encrypted and shut down the Colonial Pipeline
      • That was a major incident once again impacting the daily lives of individuals in the United States (with the Change Healthcare incident, people were unable to fill critical or vital prescriptions that they need or they were being forced to fill them at extremely high rates)
      • With the Colonial Pipeline, it shut down the distribution and transport of oil or gas to a lot of the East Coast in the United States, causing some gas stations to be unable to sell people were unable to fill their tanks
      • But in the Darkside ransomware attack going back to May of 2021 the Colonial Pipeline paid Darkside a $4.4 million ransom for their encryption key and that was fairly big at the time
      • Within a few months we saw two things happen: Darkside said “hey,we’re going to take a break or step out,” and we saw them kind of fade off into the distance, but also within about two months, the FBI was able to recover repossessed most of that Bitcoin or most of that ransom
      • Austin thinks AlphV learned from their mistakes and the mistakes of Darkside. -23 million is a huge ransom even compared to the Colonial one and his guess is right now they’re looking at self preservation trying to figure out how can they hide this ransom as quickly as possible and get it out of the reach of the US and international law enforcement agencies who might try to repossess it 

Next, we’ll take a look at the looming sanctions against Darkside 

  • AlphV’s move was prompted by the fear or potential that the US Department of the Treasury might impose sanctions against the group or its operators
  • The operators are trying to kill the AlphV brand and will reappear with a new name and an updated locker in a few months
  • We’ve seen this occur, but with other ransomware groups like Conti
    • They killed the brand right after kind of Conti leaks and they actually rebranded into multiple groups 
  • In the US, it’s  become increasingly difficult for the ransomware operators to collect payment because the financial institutions operating within the countries where the sanctions were imposed
    • Banks are obligated (or should be) to check to make sure that the attack wasn’t carried out by a sanctioned entity, and if it is, they may be denying payment to the business owner that was hit because the bank can be penalized for it 
    • So Austin thinks AlphV may have been concerned that there was just too much pressure and that they might be subject to having sanctions imposed against them 

What do we think might happen next with AlphV? Where do we go from here? 

  • Ian’s thoughts:
    • It’s a human-centric approach with the understanding that generally people don’t change their stripes a lot, so he tends to the thought that they will rebrand and start doing it again – he doesn’t see this causing a behavior change 
  • Austin’s thoughts:
    • He’s very interested to see what happens with the Change Healthcare ransom payment 
    • There were a lot of unwritten rules amongst the ransomware cybercrime ecosystem that seemed to have been violated here
    • He’s also interested to see if if there are any law enforcement action that attempts to recover the payment at all
      • When attacks impact the daily lives of the citizens or the well-being of US citizens, we definitely see the US government and law enforcement kick it into higher gear and begin to take more action against these individuals conducting the attacks

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!