退出骗局：黑猫勒索软件团伙在获得2200万美元后消失

The threat actors behind the BlackCat ransomware have shut down their darknet website and likely pulled an exit scam after uploading a bogus law enforcement seizure banner.

黑猫勒索软件的威胁行为者关闭了他们的暗网网站，并且在上传虚假执法查封横幅后可能进行了退出骗局。

"ALPHV/BlackCat did not get seized. They are exit scamming their affiliates," security researcher Fabian Wosar said. "It is blatantly obvious when you check the source code of the new takedown notice."

安全研究员法比安·沃萨尔表示：“ALPHV/BlackCat并没有被查封。他们正在退出骗取他们的合作伙伴。”“当你检查新的查封通知的源代码时，这是非常明显的。”

"There is absolutely zero reason why law enforcement would just put a saved version of the takedown notice up during a seizure instead of the original takedown notice."

“执法部门绝对没有理由在查封期间只是放置查封通知的保存版本，而不是原始查封通知。”

The U.K.'s National Crime Agency (NCA) told Reuters that it had no connection to any disruptions to the BlackCat infrastructure.

英国国家犯罪局（NCA）告诉路透社，他们与对黑猫基础设施的任何干扰没有关联。

Recorded Future security researcher Dmitry Smilyanets posted screenshots on the social media platform X in which the BlackCat actors claimed that the "feds screwed us over" and that they intended to sell the ransomware's source code for $5 million.

Recorded Future安全研究员德米特里·斯米利亚内茨在社交媒体平台X上发布了截图，黑猫行为者声称“联邦政府害了我们”，并打算以500万美元出售勒索软件的源代码。

The disappearing act comes after it allegedly received a $22 million ransom payment from UnitedHealth's Change Healthcare unit (Optum) and refused to share the proceeds with an affiliate that had carried out the attack.

据称，此前曾从美国联合健康的Change Healthcare部门（Optum）收到2200万美元的勒索款项，并拒绝与实施攻击的合作伙伴分享收益后，黑猫突然消失。

The company has not commented on the alleged ransom payment, instead stating it's only focused on investigation and recovery aspects of the incident.

该公司尚未就所谓的勒索款项发表评论，而是表示他们只专注于事件的调查和恢复方面。

According to DataBreaches, the disgruntled affiliate – which had its account suspended by the administrative staff – made the allegations on the RAMP cybercrime forum. "They emptied the wallet and took all the money," they said.

根据DataBreaches的消息，由于被管理员暂停账户，心怀不满的合作伙伴在RAMP网络犯罪论坛上提出了指控。他们表示：“他们清空了钱包并拿走了所有的钱。”

This has raised speculations that BlackCat has staged an exit scam to evade scrutiny and resurface in the future under a new brand. "A re-branding is pending," a now-former admin of the ransomware group was quoted as saying.

这引发了人们对于黑猫是否搞了一个退出骗局以逃避审查，并在未来以新品牌重新出现的猜测。“正在考虑重新品牌化，”一位现已离任的勒索软件团体管理员被引述说。

BlackCat had its infrastructure seized by law enforcement in December 2023, but the e-crime gang managed to wrest control of their servers and restart its operations without any major consequences. The group previously operated under the monikers DarkSide and BlackMatter.

黑猫的基础设施于2023年12月被执法部门查封，但这个电子犯罪团伙设法控制了他们的服务器并重新启动了操作，没有遭受重大后果。该团体此前以DarkSide和BlackMatter的名义运作。

"Internally, BlackCat may be worried about moles within their group, and closing up shop preemptively could stop a takedown before it occurs," Malachi Walker, a security advisor with DomainTools, said.

DomainTools的安全顾问马拉奇·沃克表示：“在内部，黑猫可能担心他们团队内有卧底，提前关闭店铺可能会阻止突袭的发生。”

"On the other hand, this exit scam might simply be an opportunity for BlackCat to take the cash and run. Since crypto is once again at an all-time high, the gang can get away with selling their product 'high.' In the cybercrime world, reputation is everything, and BlackCat seems to be burning bridges with its affiliates with these actions."

“另一方面，这种退出骗局可能只是黑猫拿钱就跑的机会。由于加密货币再次创下历史新高，这个团伙可以以高价出售他们的产品。在网络犯罪世界中，声誉至关重要，而黑猫似乎正在通过这些行动与其合作伙伴断绝关系。”

The group's apparent demise and the abandonment of its infrastructure come as malware research group VX-Underground reported that the LockBit ransomware operation no longer supports Lockbit Red (aka Lockbit 2.0) and StealBit, a custom tool used by the threat actor for data exfiltration.

该团体明显的消失和其基础设施的放弃发生在恶意软件研究团体VX-Underground报告称，LockBit勒索软件行动不再支持Lockbit Red（又名Lockbit 2.0）和StealBit，这是该威胁行为者用于数据外泄的自定义工具。

LockBit has also tried to save face by moving some of its activities to a new dark web portal after a coordinated law enforcement operation took down its infrastructure last month after a months-long investigation.

Trend Micro还透露，自2023年4月出现以来，被称为RA World（前身为RA Group）的勒索软件家族已成功渗透了美国、德国、印度、台湾和其他国家的医疗保健、金融和保险公司。

It also comes as Trend Micro revealed that the ransomware family known as RA World (formerly RA Group) has successfully infiltrated healthcare, finance, and insurance companies in the U.S., Germany, India, Taiwan, and other countries since emerging in April 2023.

该组织发起的攻击“涉及多阶段组件，旨在确保在集团操作中取得最大的影响和成功。”

Attacks mounted by the group "involve multi-stage components designed to ensure maximum impact and success in the group's operations," the cybersecurity firm noted.

LockBit还试图通过将一些活动转移到一个新的暗网门户，来挽回面子，这是在经过几个月的调查后，协调的执法行动摧毁了其基础设施的上个月。

参考资料

[1]https://thehackernews.com/2024/03/exit-scam-blackcat-ransomware-group.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：退出骗局：黑猫勒索软件团伙在获得2200万美元后消失