Recap: A couple of weeks in the past, a Russian hacker group utterly crippled a good portion of the US healthcare sector. The group executed a ransomware assault on a nationwide healthcare administration system run by Optum that handles affected person accounts, together with cost processing, prescription orders, and insurance coverage claims. Along with encrypting the system, AlphV claimed to have exfiltrated an unknown quantity of knowledge.
Final week, Optum allegedly paid AlphV (also referred to as Black Cat) to take away the ransomware and delete the stolen information. Though the corporate was tight-lipped concerning the incident, Blockchain’s ledger reveals seven $3,348,114 transfers made on Friday from the identical account to seven completely different accounts. Much less charges, the deposit was round $22 million. Optum declined to remark when requested if it paid AlphV.
On Sunday, an nameless celebration seemingly confirmed the $22 million cost on a darkish net discussion board. The group stated it partnered with AlphV to exfiltrate 4TB of knowledge. It additional contends that AlphV drained the illicit account and ghosted the group. Subsequently, it held onto the data somewhat than deleting it.
#ALPHV scamming associates? $22M paid and withdrawn pic.twitter.com/0ocKoXNLme
– �*��-‘�-��-��–�-� �*��-‘�-��-‘�-��-��-“�-��-��-� (@ddd1ms) March 4, 2024
In accordance with the group, it has “crucial information” that Optum was nervous about leaking, prompting it to pay the ransom. Though it doesn’t exactly make clear what the 4TB cache comprises, the group says it belongs to greater than dozens healthcare suppliers and insurance coverage corporations, together with Medicare, CVS-Caremark, Loomis, and Metlife.
On Tuesday, AlphV’s darkish web site started displaying a seizure discover. The group appeared to have been stung by the FBI and different overseas companies. The FBI declined to touch upon the takedown, which isn’t uncommon, particularly if the operation entails a number of hacker teams. Nevertheless, the seizure message listed the UK’s Nationwide Crime Company, which stated it had nothing to do with a takedown of the group.
Later, researchers wanting into the alleged seizure discovered that the web page appeared to have been copied from a special AlphV web site seizure and pasted into its present. Impartial ransomware analysis agency Emisoft confirmed that what the nameless group had stated on Sunday was true.
A picture URL like that is what Firefox and the Tor Browser create whenever you use the “Save web page as” operate to avoid wasting a replica of a web site to disk. That is what the brand URL in the true takedown discover seems like. pic.twitter.com/aTHA49ItyO
– Fabian Wosar (@fwosar) March 5, 2024
“Since folks proceed to fall for the ALPHV/BlackCat cowl up: ALPHV/BlackCat didn’t get seized,” stated Emisoft Head Researcher Fabian Wosar. “They’re exit scamming their associates. It’s blatantly apparent whenever you examine the supply code of the brand new takedown discover.”
In accordance with Wosar, the web page’s supply code confirmed proof that somebody had copied the discover utilizing the File > Save web page command within the Tor browser. The copied supply originated from a special AlphV web site the FBI beforehand shut down. The counterfeiter then inserted the code into AlphV’s present darkish web site. Since Wosar’s discovery, the perpetrator has erased that proof, even additional indicating AlphV is faking its demise by the hands of the Feds.
There is a cloud of uncertainty hanging over what AlphV would possibly do subsequent. Hypothesis asserts that the group, now flush with money, would possibly lay low for some time. Nevertheless, it’ll possible simply reorganize and emerge on the darkish net beneath a special title – a standard apply with hacker teams feeling threatened by authorities. It is unknown what the jilted hacker staff will do with its 4TB of knowledge.