Security News > 2024 > March > BlackCat ransomware shuts down in exit scam, blames the "feds"
The BlackCat ransomware gang is pulling an exit scam, trying to shut down and run off with affiliates' money by pretending the FBI seized their site and infrastructure.
"The ransomware gang started the exit-scam operation on Friday, when they took their Tor data leak blog offline. On Monday, they further shut down the negotiation servers, saying that they decided to turn everything off, amid complaints from an affiliate that the operators stole a $20 million Change Healthcare ransom from them."
Ransomware expert Fabian Wosar told BleepingComputer that the ransomware gang simply setup a Python SimpleHTTPServer to serve the fake banner.
With claims from affiliates not getting paid, a sudden shut down of the infrastructure, cutting ties with multiple affiliates, the "GG" message on Tox, announcing that they're selling the malware source code, and especially pretending that the FBI took control of their websites, all this is a cleart indication that ALPHV/BlackCat ransomware administrators are exit scamming.
A RaaS is when core operators develop a ransomware encryptor and negotiation sites and recruit affiliates to use their tools to conduct ransomware attacks and steal data.
Instead of learning from their mistakes, the ransomware operators returned in November 2021, this time under the name BlackCat or ALPHV. While the gang's official name is ALPHV, it was not known at the time, so researchers called it BlackCat based on the small icon of a black cat used on every victim's negotiation site.