The temptation to “take the money and run” was apparently too much for the leadership of the AlphV ransomware crime ring. You may have heard of this group as being behind the breach of Change Healthcare, and causing payment problems for nearly the entire US Healthcare system. And that hack seems to be key to what’s happened this week.
It’s known that a $22 million payment made it through the bitcoin maze to the AlphV wallet on the 1st. It’s believed that this is a payment from Change Healthcare to recover ransomed files. An important detail here is that AlphV is a ransomware-as-a-service provider, and the actual hacking is done by “affiliates”, who use that service, and AlphV handles the infrastructure, maintaining the actual malware, and serving as a payment processor. That last one is key here.
A couple days after that big payment landed in the AlphV account, a seizure notice went up on the AlphV TOR site, claiming that it had been taken down by the FBI and associated agencies. There was something a bit odd about it, though. See, the FBI did seize the AlphV Tor site back in December. The seizure notice this time was an exact copy, as if someone had just done a “save page as”, and posted the copy.
There is precedent for a ransomware group to close up shop and disappear after hitting a big score. The disruption AlphV enabled in the US health care system painted a big target on them, and it didn’t take a tactical genius to realize it might be good to lay low for a while. Pocketing the entire $22 million ransom probably didn’t hurt either. The particularly nasty part is that the affiliate that actually pulled off the attack still claims to have four terabytes of sensitive data, and no incentive to not release it online. It’s not even entirely clear that Change Healthcare actually received a decryption key for their data. You do not want to deal with these people.
Continue reading “This Week In Security: Blame The Feds, Emergency Patches, And The DMA”