Change Healthcare reportedly paid Black Cat (ALPHV) a $22 million ransom in early March 2024 — and the ransomware group promptly exit-scammed its own affiliates, seized the full payment, posted a fake FBI seizure notice, and put its source code up for sale, leaving 4 terabytes of stolen patient and insurance data still in criminal hands.
Stories Covered
Black Cat Exit-Scams Its Own Affiliates After $22M Change Healthcare Ransom Payment
Change Healthcare, a technology subsidiary of UnitedHealth Group that processes prescription drug transactions for hospitals and pharmacies nationwide, was hit by Black Cat (ALPHV) ransomware on February 23, 2024. The attack took down the systems that pharmacies use to verify insurance eligibility and process claims, meaning patients at the pharmacy counter either could not fill prescriptions or were forced to pay full out-of-pocket costs for medications their insurance would normally cover. The disruption cascaded through the healthcare supply chain for weeks. On or around March 1st, a Bitcoin address security researchers had already mapped to Black Cat received a single transaction of approximately $22 million — consistent with a ransom payment. On March 3rd, a Black Cat affiliate posted on the Russian-language ransomware forum RAMP claiming to be the individual who had provided Black Cat with initial access to Change Healthcare’s network. The affiliate’s complaint: Black Cat had received the $22 million, frozen the affiliate’s account, and refused to pay out the commission that was owed.
Black Cat operates as a ransomware-as-a-service collective. Affiliates — independent operators who find and breach targets — earn commissions ranging from 60 to 90 percent of any ransom paid. The core Black Cat administrators provide the ransomware infrastructure, encryption tooling, negotiation support, and leak site; affiliates bring the intrusions. In this case, the affiliate claimed they were owed a multi-million-dollar cut of the $22M payment and received nothing. The affiliate warned on RAMP that they still possessed four terabytes of data stolen from Change Healthcare’s network, including records tied to Medicare, CVS Caremark, HealthNet, and MetLife. They explicitly threatened to leak the data independently if Black Cat didn’t pay and warned other ransomware operators to stop working with ALPHV. The stolen data pool covering major insurance networks and pharmacy partners represents substantial personal health information, insurance records, and financial data at scale.
Following the affiliate complaint, Black Cat’s leak site went dark and the group posted what appeared to be an FBI seizure banner — the same type of notice that appeared when law enforcement seized Black Cat’s infrastructure in December 2023. Security researchers, including Fabian Wosar of Emsisoft, quickly identified the notice as a copy-paste job from the earlier real seizure, not an authentic law enforcement action. The FBI did not confirm any new action against Black Cat. Simultaneously, Black Cat announced it was selling its ransomware source code for $5 million. Wosar stated publicly that Black Cat was exit-scamming its affiliates — a deliberate final move to extract maximum cash before shutting down the brand. By withholding commissions from multiple affiliates at once and disappearing with the accumulated ransoms, the Black Cat administrators essentially robbed the people they had relied on to run their criminal enterprise. The December 2023 FBI operation had already compromised Black Cat’s infrastructure; the group rebuilt and continued operating, but its position as the dominant ransomware actor after LockBit 3.0’s takedown apparently made it a priority target, and the administrators appear to have decided to cash out before law enforcement closed in again.
Several dynamics worth noting. Paying the ransom did not end Change Healthcare’s exposure — it funded the criminal enterprise while leaving the stolen data in the hands of a disgruntled affiliate who was never paid and had every incentive to leak or re-extort. This outcome recurs: ransomware payment does not guarantee data deletion, because the operators and affiliates are not bound by the same agreement and have competing financial interests. The affiliate structure that makes ransomware-as-a-service scalable also makes it unstable — when the administrators steal the ransom from the people who executed the attack, those affiliates still have the data and the access logs and no reason for loyalty. The takeaway for organizations is that payment creates a second exposure problem rather than ending the first one. Separately, analysts noted a possible additional explanation: that Russian government pressure may have directed Black Cat’s administrators to pivot capabilities toward Ukraine-related operations and wind down the commercial ransomware operation, though the source code sale and affiliate exit scam pattern is more consistent with a financial grab than a state-directed shutdown.





