The hacking group responsible for the cyber attack on UnitedHealth Group seems to have pulled a disappearing act after collecting the $22 million ransom by staging a fake FBI takedown.
The ransomware group, known as the Blackcat gang, otherwise known as ALPHV, left its cybercriminal associates in the lurch and replaced their old website with a fake statement from law enforcement.
Ransomware Group Fakes FBI Takedown
On Feb. 21, the U.S. insurer disclosed that the ransomware group had perpetrated a cyberattack on its technology unit Change Healthcare. This particular attack caused disruptions across the United States healthcare system.
A message was seen posted on ALPHV's website, noting that it had been impounded "as part of a coordinated law enforcement action" by US authorities and other law enforcement agencies. It also included the logos of non-American agencies that were supposedly involved, including those of Europol and Britain's National Crime Agency (NCA).
The Federal Bureau of Investigation (FBI) declined to comment regarding the situation and Europol did not return any messages. However, a spokesperson for the National Crime Agency said that they can confirm that any recent disruption to ALPHV infrastructure is not a result of NCA activity, as per Reuters.
Various security experts said that law enforcement denial and other clues made it look like the hackers had simply decided to shut down their operations. Researcher Will Thomas said that the situation appears to be a classic "exit scam." This is where hackers pretend to be knocked out of commission only to quietly pocket their partners' money and start over under a new name.
Thomas argued that ALPHV was already believed to have been a rebrand of a previous hacker group that was known as DarkSide. He added that it would not be surprising if the ransomware group returns once again in the future.
Read Also : Liberty University to Pay $14 Million After Report Found School Failed To Disclose Campus Crime
Scamming Its Associates
Even before the notice of the seizure, there were various signs that pointed to something unusual following the intrusion at the tech unit of UnitedHealth. ALPHV posted a message last week saying that it had stolen millions of sensitive records from the insurer, only to later delete the claim without offering any explanation.
The head of ransomware research at security firm Emsisoft, Fabian Wosar, said in a social media post that as people continue to fall for the ALPHV cover-up, the group did not get seized. He added that the group was scamming their affiliates, noting that it was blatantly obvious if you checked the source code of the new takedown notice, according to ArsTechnica.
Wosar also posted an image that showed the page source that was used to render the supposedly seized ALPHV homepage. It indicated that the image in the notice was copied using "File > Save page" as a command in the Tor browser.
A ransomware-focused researcher for cybersecurity firm Recorded Future, Allan Liska, said that due to being unable to arrest the core operators that are in Russia or in areas that are uncooperative with law enforcement, they are unable to stop the ransomware group.
Liska argued that instead, law enforcement often has had to settle for spending months or even years to arrange takedowns that target the infrastructure of ransomware groups or aid their victims, said Wired.