Recap: A number of weeks in the past, a Russian hacker group utterly crippled a good portion of the US healthcare sector. The group executed a ransomware assault on a nationwide healthcare administration system run by Optum that handles affected person accounts, together with fee processing, prescription orders, and insurance coverage claims. Along with encrypting the system, AlphV claimed to have exfiltrated an unknown quantity of knowledge.
Final week, Optum allegedly paid AlphV (additionally recognized as Black Cat) to take away the ransomware and delete the stolen information. Though the corporate was tightlipped in regards to the incident, Blockchain’s ledger exhibits seven $3,348,114 transfers made on Friday from the identical account to seven totally different accounts. Much less charges, the deposit was round $22 million. Optum declined to remark when requested if it paid AlphV.
On Sunday, an nameless occasion seemingly confirmed the $22 million fee on a darkish internet discussion board. The group stated it partnered with AlphV to exfiltrate 4TB of knowledge. It additional contends that AlphV drained the illicit account and ghosted the group. Due to this fact, it held onto the knowledge fairly than deleting it.
#ALPHV scamming associates? $22M paid and withdrawn pic.twitter.com/0ocKoXNLme
– �*��-‘�-��-��–�-� �*��-‘�-��-‘�-��-��-“�-��-��-� (@ddd1ms) March 4, 2024
In accordance with the group, it has “crucial information” that Optum was frightened about leaking, prompting it to pay the ransom. Though it doesn’t exactly make clear what the 4TB cache incorporates, the group says it belongs to greater than dozens healthcare suppliers and insurance coverage firms, together with Medicare, CVS-Caremark, Loomis, and Metlife.
On Tuesday, AlphV’s darkish web site started displaying a seizure discover. The group appeared to have been stung by the FBI and different international companies. The FBI declined to touch upon the takedown, which isn’t uncommon, particularly if the operation entails a number of hacker teams. Nevertheless, the seizure message listed the UK’s Nationwide Crime Company, which stated it had nothing to do with a takedown of the group.
Later, researchers trying into the alleged seizure discovered that the web page appeared to have been copied from a unique AlphV web site seizure and pasted into its present. Unbiased ransomware analysis agency Emisoft confirmed that what the nameless group had stated on Sunday was true.
A picture URL like that is what Firefox and the Tor Browser create while you use the “Save web page as” perform to save lots of a replica of an internet site to disk. That is what the emblem URL in the actual takedown discover appears like. pic.twitter.com/aTHA49ItyO
– Fabian Wosar (@fwosar) March 5, 2024
“Since individuals proceed to fall for the ALPHV/BlackCat cowl up: ALPHV/BlackCat didn’t get seized,” stated Emisoft Head Researcher Fabian Wosar. “They’re exit scamming their associates. It’s blatantly apparent while you test the supply code of the brand new takedown discover.”
In accordance with Wosar, the web page’s supply code confirmed proof that somebody had copied the discover utilizing the File > Save web page command within the Tor browser. The copied supply originated from a unique AlphV website the FBI beforehand shut down. The counterfeiter then inserted the code into AlphV’s present darkish web site. Since Wosar’s discovery, the perpetrator has erased that proof, even additional indicating AlphV is faking its demise by the hands of the Feds.
There is a cloud of uncertainty hanging over what AlphV may do subsequent. Hypothesis asserts that the group, now flush with money, may lay low for some time. Nevertheless, it’s going to doubtless simply reorganize and emerge on the darkish internet underneath a unique title – a standard apply with hacker teams feeling threatened by authorities. It is unknown what the jilted hacker crew will do with its 4TB of knowledge.