US healthcare giant Change Healthcare has allegedly paid $33.7 million ($US22 million) to BlackCat, a now-vanished hacker group behind a cyber attack which left the company struggling to restore its services.

The cyber attack – first detected by Change Healthcare on 21 February – is being described as one of the most disruptive in years, causing nationwide interruptions to prescription drug deliveries for US hospitals and pharmacies for almost two weeks.

While the company is still working to fully restore its systems, it has since confirmed the perpetrator of the attack is Alphv, a prominent ransom gang also known as Blackcat.

Furthermore, recent blockchain discoveries show BlackCat likely received a near $33.7 million payment in Bitcoin – suggesting Change Healthcare may have paid a ransom during the ongoing crisis.

The payment surfaced as part of a dispute on hacker forum Ramp, where on 3 March a user claiming to be an affiliate of BlackCat said they had been cheated out of their share of a purported ransom.

As reported by Wired, the user’s post linked to a publicly visible Bitcoin payment worth near $33.7m at the time of the transaction.

Notably, this transaction was made to a cryptocurrency address which security researchers have already linked to BlackCat.

BlackCat, like most prominent ransomware gangs, operates on a ransomware-as-a-service model where affiliates carry out attacks using its ransomware – often in exchange for a fee or majority percentage of any ransoms paid.

“But after receiving the payment, Alphv team decide to suspend our account and keep lying and delaying when we contacted Alphv admin,” the user wrote.

BlackCat’s purported affiliate claims they still have access to stolen data from Change Healthcare – meaning even if there was a ransom paid, a safe exchange of data hasn’t taken place.

Furthermore, they claim a range of Change Healthcare partners – including government health insurance provider Medicare – have had data stolen during the attack.

Change Healthcare has not confirmed whether or not the ransom has been paid, with a spokesperson telling Wired it was “focused on the investigation right now”.

“Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, such as Mandiant and Palo Alto Networks, on this attack against Change Healthcare’s systems,” reads a statement from Change Healthcare’s parent company UnitedHealth Group.

“We are actively working to understand the impact to members, patients and customers.”

Change Healthcare did not respond to Information Age’s request for comment.

BlackCat pulls vanishing act

On Tuesday, shortly after the $33.7m Bitcoin transaction came to light, a BlackCat administrator said the group was shutting down and selling off its ransomware source code.

“We have decided to completely close the project, we can officially say that the feds have nagged us,” they posted on Ramp.

“The source code will be sold, now we are already negotiating about it.

“Account can be deleted, I will not go to court again, we have no other accounts on other forums, it’s all fake.”

The sudden closure comes only months after the group was hacked by international law enforcement agencies – including the Australian Federal Police – and temporarily removed from the dark web.

After promptly returning in December 2023, the group retaliated by removing any restrictions on its affiliates targeting healthcare providers and hospitals.

Though the gang seems to have now admitted it is intentionally closing down, Blackcat’s dark web blog currently displays a hastily edited and likely fake seizure notice from the Federal Bureau of Investigation (FBI).

The FBI has widely declined to comment on BlackCat’s sudden closure, and a spokesperson for the UK’s National Crime Agency has told media “any recent disruption to Alphv infrastructure is not a result of NCA activity”.

Cyber security expert Fabian Wosar pointed out the takedown was almost certainly false, and suggested BlackCat is simply “exit scamming” its affiliates to avoid having to pay out any commissions owed.

“Since people continue to fall for the Alphv/BlackCat cover up: Alphv/BlackCat did not get seized,” said Wosar.

“This is a poor attempt by Alphv/BlackCat to hide their exit scam. Don't fall for it.”