{ "id": "3ae584cf-d9a6-404e-bf22-4b11d439bbd8", "created_at": "2026-04-06T00:21:00.38624Z", "updated_at": "2026-04-10T03:29:39.883809Z", "deleted_at": null, "sha1_hash": "033d20a96f0b0a3584a382f400f72b3db32f0370", "title": "BlackCat ransomware turns off servers amid claim they stole $22 million ransom", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2946215, "plain_text": "BlackCat ransomware turns off servers amid claim they stole $22 million\r\nransom\r\nBy Ionut Ilascu\r\nPublished: 2024-03-04 · Archived: 2026-04-05 19:37:07 UTC\r\nThe ALPHV/BlackCat ransomware gang has shut down its servers amid claims that they scammed the affiliate responsible\r\nfor the attack on Optum, the operator of the Change Healthcare platform, of $22 million.\r\nWhile BlackCat's data leak blog has been down since Friday, BleepingComputer had confirmed that negotiation sites were\r\nstill active over the weekend.\r\nToday, BleepingComputer confirmed the ransomware operations negotiation sites are now shut down as well, indicating a\r\nfurther deliberate take down of the ransomware gang's infrastructure.\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-turns-off-servers-amid-claim-they-stole-22-million-ransom/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-turns-off-servers-amid-claim-they-stole-22-million-ransom/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nA short status in Russian on the messaging platform the ransomware threat actor uses for communication reads that they\r\ndecided to turn everything off.\r\nIt is unclear if this is an exit scam or an attempt to rebrand the operation under a different name.\r\nChange Healthcare is a payment exchange platform that connects doctors, pharmacies, healthcare providers, and patients in\r\nthe U.S. healthcare system.\r\nOptum allegedly pays ransom\r\nEarlier today, the Tox messaging platform used by the BlackCat ransomware operator contained a message that does does\r\nnot provide any details about what the gang plans next: “Все выключено, решаем,” which translates to \"Everything is off,\r\nwe decide.\"\r\nALPHV decides to turn off servers\r\nsource: BleepingComputer\r\nThis status message has now been changed to 'GG,' which may mean 'good game.' However, the context of this message is\r\nunclear.\r\nThis decision may be related to claims from someone describing themselves as a longtime ALPHV/BlackCat affiliate\r\nresponsible for the attack on Optum, who said that ALPHV banned them from the operation and stole a $22 million ransom\r\nallegedly paid by Optum for the Change Healthcare attack.\r\nDmitry Smilyanets of threat intelligence company Recorded Future shared the message from the alleged ransomware\r\naffiliate, which claimed that Optum paid ALPHV/BlackCat a ransom on March 1st to delete the data stolen from the Change\r\nHealthcare platform and to receive a decryptor.\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-turns-off-servers-amid-claim-they-stole-22-million-ransom/\r\nPage 3 of 6\n\nAlleged ALPHV affiliate claims they got scammed of the alleged Optum ransom of $22 million\r\nsource: Dmitry Smilyanets\r\nRansomware-as-a-service (RaaS) operations typically work by partnering with external affiliates, who carry out attacks\r\nusing the operation's encryptors.\r\nRansoms received from victims are shared between the RaaS administrators and the affiliate responsible for the breach and\r\ndeploying the ransomware or stealing data.\r\nIn this case, it seems that the affiliate that stole data from Change Healthcare got scammed. They claim that after Optum\r\npaid a $22 million ransom ALPHV suspended their partner’s account and took all the money from the wallet.\r\nUnder the username “notchy,” the alleged ALPH affiliate says that they still have 4TB of Optum's “critical data,” describing\r\nit as “production data that will affect all Change Healthcare and Optum clients.”\r\nThey claim to have data from “tens of insurance companies” and other providers of a range of services from healthcare to\r\ncash management, and pharmacies.\r\nTo prove their claim, notchy shared a cryptocurrency payment address with a total of nine transactions, an initial incoming\r\ntransfer of 350 bitcoins (a little over $23 million), and eight outgoing ones.\r\nThe address sending the bitcoin has only two transactions, one receiving 350 bitcoins and another sending them to the\r\nalleged ALPHV wallet.\r\nBleepingComputer contacted Optum's parent company UnitedHealth Group regarding the claims they paid a ransom\r\npayment and was told, \"We are focused on the investigation\" and that no additional comments are available.\r\nWhile it is unclear what direction BlackCat is taking, this activity could point to the start of an exit scam, where the\r\nransomware operations steal their affiliates' cryptocurrency and then shut down their operations.\r\nBlackCat is a rebrand of the DarkSide ransomware operation, who also shut down after claiming law enforcement\r\ntransferred cryptocurrency from their wallets. After the recent law enforcement operation that disrupted BlackCat's servers,\r\nit would not be surprising to find that they make a similar claim if they shut down.\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-turns-off-servers-amid-claim-they-stole-22-million-ransom/\r\nPage 4 of 6\n\nFrom DarkSide to BlackMatter to ALPHV\r\nALPHV/BlackCat started in 2020 as DarkSide. A year later, the gang attacked the Colonial Pipeline, leading to panic and\r\ngas outages in the US.\r\nThe ransomware gang lost access to their infrastructure shortly after the attack, claiming their hosting provider blocked\r\naccess to the servers.\r\nAt the time, the gang also said that the funds on their payment server mysteriously disappeared into an unknown account.\r\nThe ransomware operation re-emerged a few months later as BlackMatter only to shut down four months later, in November\r\n2021, due to “pressure from the authorities.”\r\nThe gang resumed operations once more in February 2022 under the ALPHV/BlackCat name and expanded its partnership\r\nto English-speaking affiliates.\r\nAt the end of last year, the FBI announced that it had breached the ransomware gang's servers, monitored their activity, and\r\nobtained private decryption keys that helped more than 400 victims to recover their data for free.\r\nALPHV restored its infrastructure, though, and continued breaching companies and leaking data from victims that did not\r\npay a ransom.\r\nHowever, a rebrand may be imminent.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-turns-off-servers-amid-claim-they-stole-22-million-ransom/\r\nPage 5 of 6\n\nSource: https://www.bleepingcomputer.com/news/security/blackcat-ransomware-turns-off-servers-amid-claim-they-stole-22-million-ransom/\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-turns-off-servers-amid-claim-they-stole-22-million-ransom/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/blackcat-ransomware-turns-off-servers-amid-claim-they-stole-22-million-ransom/" ], "report_names": [ "blackcat-ransomware-turns-off-servers-amid-claim-they-stole-22-million-ransom" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434860, "ts_updated_at": 1775791779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/033d20a96f0b0a3584a382f400f72b3db32f0370.pdf", "text": "https://archive.orkl.eu/033d20a96f0b0a3584a382f400f72b3db32f0370.txt", "img": "https://archive.orkl.eu/033d20a96f0b0a3584a382f400f72b3db32f0370.jpg" } }