{
	"id": "ae707c57-5364-4d45-ad9a-fe5985427ebe",
	"created_at": "2026-04-06T00:17:19.729383Z",
	"updated_at": "2026-04-10T13:12:31.352349Z",
	"deleted_at": null,
	"sha1_hash": "2d73352cced14191f1eb8cd49844d96bf3451f17",
	"title": "Swindled Blackcat affiliate wants money from Change Healthcare ransom",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1229169,
	"plain_text": "Swindled Blackcat affiliate wants money from Change Healthcare\r\nransom\r\nBy Menlo Labs\r\nPublished: 2024-03-06 · Archived: 2026-04-05 20:16:24 UTC\r\nThe U.S. healthcare giant, Change Healthcare, has reportedly made a $22 million ransom payment to the\r\nnotorious BlackCat ransomware group (ALPHV). This payment comes as the company grapples with efforts to\r\nrestore services following a cyberattack that has caused widespread disruptions to prescription drug services\r\nacross the nation for several weeks.\r\nSince then, the BlackCat (ALPHV) ransomware gang has shut down its servers, reportedly after allegedly\r\nscamming an affiliate involved in the Optum attack out of $22 million. The Tox messaging platform, used by the\r\nBlackCat ransomware operator, now displays a message in russian: “Все выключено, решаем,” meaning\r\n\"Everything is off, we decide.\"\r\nThis move may be connected to claims made by an individual identifying themselves as a long-time\r\nALPHV/BlackCat affiliate involved in the Optum attack. They allege that ALPHV suspended their affiliate\r\naccount and fled with a $22 million ransom, supposedly paid by Optum for the Change Healthcare attack.\r\nWhat we know\r\nTimeline\r\nhttps://www.menlosecurity.com/blog/swindled-blackcat-affiliate-wants-money-from-change-healthcare-ransom\r\nPage 1 of 9\n\nhttps://www.menlosecurity.com/blog/swindled-blackcat-affiliate-wants-money-from-change-healthcare-ransom\r\nPage 2 of 9\n\nCompromised American healthcare data\r\nReports from the Menlo Labs Threat Intelligence team suggest Change Healthcare's operations could affect the\r\nhealthcare data of nearly every American. This is concerning given the vast amount of data involved - around 4TB\r\nof US citizens' data is reportedly held by a swindled ex-affiliate of ALPHV/BlackCat. The compromised\r\ninformation encompasses a wide array of personal and medical details, notably including data from critical\r\nnational healthcare programs such as Medicare and TRICARE.\r\nThe leakage of such sensitive data not only poses a direct threat to the privacy and security of millions of\r\nbeneficiaries, but also has broader implications for national security. Given the extensive and detailed nature of the\r\ninformation potentially accessed, this incident underscores the vital importance of enhancing cybersecurity\r\nmeasures around critical healthcare infrastructure and data systems.\r\nWhile it's reasonable to assume their significant influence across the American healthcare landscape, claims of\r\ntheir total control over all Americans' healthcare data should be approached cautiously without solid evidence.\r\nAdditionally, as of February 28th, 2024, Change Healthcare was still listed on the site.\r\nThe situation surrounding Change Healthcare has seen a significant shift, with the emerging BlackCat ransomware\r\ngroup scandal and suggestions of involvement by Chinese state-sponsored entities. However, these allegations of\r\nhttps://www.menlosecurity.com/blog/swindled-blackcat-affiliate-wants-money-from-change-healthcare-ransom\r\nPage 3 of 9\n\nChinese state-sponsored associations lack validation, and we are closely monitoring developments. While it's\r\nplausible that the purported BlackCat affiliate is associated with a Chinese nation-state operation, arriving at a\r\ndefinitive conclusion necessitates substantial evidence from credible sources.\r\nAnalyst comment: some of our HUMINT sources with direct contact to Notchy says it’s high probability that\r\nNotchy is associated with China Nation-State groups.\r\nMany analysts in the community have commented on the unfolding story, suggesting, 'This appears to be a classic\r\nexit scam'. In such a scam, perpetrators feign operational shutdown, covertly misappropriate their collaborators'\r\nfunds, and potentially re-emerge under a different guise. Our analysis aligns with this perspective, leading us to\r\nconsider an exit scam is a highly probable explanation. Below, we present the evidence that underpins our\r\nconclusion, alongside potential implications for stakeholders and the broader cybersecurity ecosystem.\r\nNotchy emerges on dark web forums\r\nAnalyst Comment: Please be advised that the following analysis was conducted in a secure environment,\r\nemploying industry-standard methodologies for data collection. Information had to be redacted and/or removed\r\ndue to its sensitivity. We may be able to provide more information in a TLP Red environment. \r\nIn light of numerous researchers referencing the above photo, we conducted a thorough analysis of discussions on\r\nRamp—a dark web forum known for its entry barrier, either a $500 USD fee or admin approval—to glean insights\r\ninto this thread. Below, we outline key takeaways from the forum discussions, emphasizing the parts that shed\r\nlight on the evolving situation. \r\nhttps://www.menlosecurity.com/blog/swindled-blackcat-affiliate-wants-money-from-change-healthcare-ransom\r\nPage 4 of 9\n\nOn March 03, 2024, at 03:43 PM UTC, a forum user identified as 'notchy' initiated a thread claiming to be the\r\naffiliate responsible for the ransomware attack on Change Healthcare. According to Notchy' despite the company's\r\nalleged payment of the ransom, they have not received their promised compensation. \r\nhttps://www.menlosecurity.com/blog/swindled-blackcat-affiliate-wants-money-from-change-healthcare-ransom\r\nPage 5 of 9\n\nAnalyst Comment: Ramp enforces a rule where individuals accused of fraud are given a chance to present their\r\ndefense. This was exemplified in an administrative post tagging the user '@BlackCat46:  \r\n“You have the opportunity to respond before I make a decision, provide your logs and your point of view on the\r\nproblem. The defendant has not appeared on the forum since August 22 last year, if anyone has the opportunity,\r\nnotify him through the contacts you know about this claim.”\r\nSubsequent observations in the thread, as of March 05, 2024, at 12:56 AM UTC, revealed activity possibly\r\nindicating the group's presence under an alternate name, \"@ransom.\" This post, originally in Russian, is translated\r\nbelow: \r\n“There is no point in making excuses, but we knew about the problem, tried to solve it, the advertiser was told to\r\nwait, we could now send our personal correspondence among ourselves, where we are shocked by what is\r\nhappening and try to outbid transactions with a larger commission, but this makes no sense because we decided to\r\ncompletely close the project, we can officially declare that the feds screwed us over. The source code will be sold,\r\nnegotiations are already underway on this matter. Thank you all for being with us. You can delete your account, I\r\nwon’t go to court again, we don’t have other accounts on other forums, it’s all fake.”  \r\nNotchy responded on March 05, 2024 03:32 AM UTC \"@ransom stop blaming the feds. No one is idiot here to\r\nbelieve what you have said. return what you have stole and be a man with dignity\" \r\nAdditionally, we found Notchy engaging on topics focused on ransomware as early as 2021 where he was looking\r\nto buy ransomware. On February 03, 2021 03:14 AM UTC he posted: \"Looking for ransomware to buy or % basis\r\nI have multiple networks under my control (full domain + full access across managed swtiches \u0026 vlans) +\r\nmultiple production servers hosting enterprise applications\"\r\nFrom the intelligence collected on Ramp we were able to get a Telegram username, and saw some messages from\r\nApril of 2023 where Notchy was seeking out Cobalt Strike.\r\nhttps://www.menlosecurity.com/blog/swindled-blackcat-affiliate-wants-money-from-change-healthcare-ransom\r\nPage 6 of 9\n\nFurther investigation reveals that the user Notchy is active not only on the Ramp forum but also on the Exploit\r\nforum, as evidenced by a screenshot provided.\r\nAnother interesting account with the username Notchy is an XSS Forum account. This is due to this account\r\nhaving commented on a post which sells malware. This comment was made on the  October 10th stating “trusted\r\nseller and genuine products A+++”.  \r\nThe malware purchased by Notchy reportedly includes SmartScreen Killer and the latest version of Cobalt Strike.\r\nWe have also identified a potential hash associated with this malware purchase. Without more details on the\r\nChange Healthcare attack, we are unable to determine if this malware was used against them or not.  \r\nhttps://www.menlosecurity.com/blog/swindled-blackcat-affiliate-wants-money-from-change-healthcare-ransom\r\nPage 7 of 9\n\nNonetheless, this connection raises pertinent questions about the potential involvement of \"notchy\" in cyber\r\nactivities beyond just the Ramp and Exploit forums.\r\nMoving over to X (Twitter), we saw users talking about the exit scam that ALPHV/BlackCat are supposedly\r\nconducting . According to Fabian Wosar, “Since people continue to fall for the ALPHV/BlackCat cover up:\r\nALPHV/BlackCat did not get seized. They are exit scamming their affiliates. It is blatantly obvious when you\r\ncheck the source code of the new takedown notice. You will see code like this”.  The following picture was posted\r\nwith the tweet.\r\nAnother X user shared this image purportedly showing BlackCat selling their source code. This information\r\nmirrors the initial discussions observed on the Ramp forum. This connection brings our investigation nearly full\r\ncircle but also highlights the quickness-to-exit scene by disseminating and monetizing their tools possibly for the\r\nlast time.  \r\nhttps://www.menlosecurity.com/blog/swindled-blackcat-affiliate-wants-money-from-change-healthcare-ransom\r\nPage 8 of 9\n\nWith the drama unfolding against the backdrop of Ramp's enigmatic forum discussions and the sagacious insights\r\nof observers, our story reaches a pause as we wait to see what will come in the near future. It's a powerful\r\nreminder that in the cyber world, where every shadow might hide a story and every byte could reveal a secret,\r\nuncertainty reigns supreme..\r\nNext steps\r\nThe healthcare industry is urging the government to intervene and provide financial support to hospitals,\r\nparticularly rural ones, to prevent them from running out of funds. Payment systems for hospitals and various\r\nhealth-related organizations have been severely impacted by the attack on Change, causing significant delays.\r\nSome hospitals are now at risk of running out of cash while awaiting a solution to the issue. Change Healthcare’s\r\ntop priority will be to get its systems back online, while maintaining the data required for a thorough investigation,\r\nand the timeline would depend on many variables.\r\nWhat Notchy will do and where the story goes is something we all will be watching. Notchy posted on March 4th\r\n2024 at 09:13 UTC a request for others to join in a joint operation and then later had the post removed on Ramp.\r\nThere is a risk that the ex-affiliate of ALPHV/BlackCat, who had his portion of the ransom money taken, may\r\nattempt to sell the stolen data privately on the darkweb to recoup what he lost. There is also the possibility we\r\nmight see the release of BlackCat's internal data and intelligence leaked as a form of retaliation, coupled with the\r\nthreat of double extortion. In such a scenario, they could still opt to release the data for free eventually.\r\nMitigating the fallout of the compromised information should be a top priority, as this is rumored to affect the\r\nmajority of not only civilians but also federal and military personnel.\r\nSource: https://www.menlosecurity.com/blog/swindled-blackcat-affiliate-wants-money-from-change-healthcare-ransom\r\nhttps://www.menlosecurity.com/blog/swindled-blackcat-affiliate-wants-money-from-change-healthcare-ransom\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.menlosecurity.com/blog/swindled-blackcat-affiliate-wants-money-from-change-healthcare-ransom"
	],
	"report_names": [
		"swindled-blackcat-affiliate-wants-money-from-change-healthcare-ransom"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434639,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2d73352cced14191f1eb8cd49844d96bf3451f17.pdf",
		"text": "https://archive.orkl.eu/2d73352cced14191f1eb8cd49844d96bf3451f17.txt",
		"img": "https://archive.orkl.eu/2d73352cced14191f1eb8cd49844d96bf3451f17.jpg"
	}
}