 The history of ransomware is a short one. In fact, the first ever documented ransomware event was back in 1989. That particular virus was deployed to systems via a floppy disk and it requested the victim to mail $189 in cash to a P.O. box in Panama in order for the victim to get a code to restore their files. Obviously this was before cryptocurrency and PayPal so payment was a lot less streamlined and this particular strain of ransomware from the late 80s wasn't actually that effective. Your local IT guy could have figured out how to restore your files faster than your envelope of cash would have arrived to that Panamanian P.O. box and he probably would have done it for a lot less than $189 in late 80s money. But ransomware attacks have gotten so much more sophisticated over the years. We've seen the rise of the double extortion method where the hackers don't just encrypt your data for a fee the hackers will also threaten to sell or publish the data that they stole from you online for the world to see and the perpetrators of these hacks also have started reaching out to the media to put more pressure on the victims and the victims are also usually multi-billion dollar companies at this point to pay that ransom. And now ransomware is even being offered as a hacker for higher service on the dark web. One of the most notorious ransomware gangs to offer this ransomware as a service go by the name of Elf V or Black Cat. Elf V is a much more organized gang than the script kitty groups that we usually hear about. They actually write their own ransomware and they're the first known professional cybercrime group to actually use a strain of ransomware that was written in Rust. Elf V has compromised over a thousand networks since they have started and their victims range across all industries. Now other similar ransomware as a service groups have this code of ethics if you can call it that where they would refuse to cause disruptions to critical infrastructure that people need to live. Usually this is things like power plants and hospitals stuff like that. And Elf V also followed this code of ethics for some time until the FBI seized their ransomware site back in late 2023. Visiting their site on the dark web would give you the typical this website has been seized banner with the badges and seals of various law enforcement agencies in the body of the page. But domain resolution and tour doesn't quite work the same way that it does on the clear web. You see on tour there isn't any go daddy or other similar organization that can comply with a law enforcement request to seize a domain name. If you control the private key for the onion service then you essentially can control the onion service. So when law enforcement seizes a site on tour like when they seize an onion service what that really means is that they got the private key for the onion service and they can make the onion domain point to whatever server and whatever content that they want. In this cage it's just the static page saying that this website has been seized. But Elf V also still seems to have control of this site's private key. And so a tug of war or better yet a tug of tour ensued with law enforcement and the hackers both spamming new submissions to tours distributed hash table to update this onion service. And at some point Elf V actually managed to update the site to this page that you're seeing now saying that the website was unseized. They posted a link to a new onion site that presumably had fresh private keys that only Elf V controlled. And they also posted this message in Russian basically saying that the gloves were coming off and now hospitals nuclear power plants and similar institutions could be targeted by Elf V now as long as they are located outside of the former Soviet Union. They want to make sure that their I guess comrades info doesn't get published onto the dark web. Now recently Elf V followed through with this threat to hack critical infrastructure by attacking United Health and Change Health which is owned by United Health Group. Elf V also claimed that this hack gave them access to sensitive data belonging to more well known healthcare partners and services like Medicare, MetLife and CVS Caremark. The hackers main target here was United Health Group's IT platform which apparently connects hospitals and pharmacies with insurance providers. And now this network recently has been largely non-operational and so it's resulted in delays with people getting their prescriptions, people getting discharged from the hospital, anything that would require these different institutions, you know the insurance companies and hospitals to communicate with one another is being delayed and just taking forever. And this hack was apparently so disruptive that someone actually paid 22 million dollars in Bitcoin to the Elf V hackers wallet on March 1st. And that actually makes this one of the largest ransomware payments that have ever been received. And a couple of days later Elf V actually started emptying out their Bitcoin wallet which has received a total of 1469 Bitcoin over the years. So if I had to guess, Elf V is probably trying to cash out their Bitcoin right now because you know it's got a really high price or they might just be trying to use it to purchase stuff from sites that accept Bitcoin directly like base.win. Maybe Elf V's bosses decided to get a little daemon pullover hoodie for the whole crew so that they can keep warm on those long cold hacker man nights. Now here's where stuff gets really suspicious. On March 3rd somebody posted a topic in a Darknet Russian Cybercrime Forum titled Elf V Black Hat scam 20 million. OP goes on to say that they are an affiliate who works with Elf V for a long time. They mentioned the 22 million dollar ransom that was paid claiming that it came from the victim change health care and it was to prevent leaks and to get the decryption key so they could get access back to their data. But then OP goes on to say that Elf V suspended their account meaning the account that they used to interact with Elf V's ransomware as a service. And OP also provided screenshots from his conversation with one of Elf V's admins on talks chat that was starting on March 1st where OP wanted to access some money from an account that Elf V controlled. I guess it's something like a finder's fee that OP was supposed to get and the amount of 20 grand from the united health hack not completely sure about that but anyway the point is OP was supposed to get some money from these guys allegedly. And the Elf V admin says that OP's account was locked due to too many login attempts and that they need a chief administrator in order to unlock it. And the admin goes on to say that OP's funds are safe who he can look at the blockchain and you can see where the money is. And then on March 3rd the original admin said that the chief admin might be available sometime later that day but he's delaying for some reason and then about 12 hours later the bitcoin wallet started getting drained like you see here. Now if we take a look at Elf V's current site it also says that this website has been seized just like the original site that they were playing tug of war with against the fed some months ago. Everything about these two sites looks the same until you go and you inspect the html. Now you don't need to be a web dev or a coder or whatever to understand what's going on here okay basically this web page just like well most web pages out there it's just text okay it's links to a tip line if you want to snitch on your neighborhood hacker man for a reward of up to 10 million dollars. And then if we take a look at the html again logo.png is just an image in fact it's actually an image of all of these different law enforcement insignias just in one png image instead of each and every one being a separate image. But now if we go to Elf V's new site and we inspect the html you could see that the image source is just a little bit different okay it's in this crazy looking sub folder with the percent 20 and that's just html encoding for spaces um but anyway like let me show you what i'm talking about right so open this in a new tab it'll make it a bit more obvious it's in this sub folder here this website has been seized underscore files might take a minute to load this you know it's got to go through onions and whatnot so you see this is the like folder view of that web page here and this is not the way that law enforcement put up their you know seizure warnings right um feel free to comment below if you have seen them actually do it this way but i personally have not seen it done this way and it makes it just makes sense you know like common sense if you know about web development that if the feds are going to take over a site then they might as well just like nuke the web route right like they're gonna have their insignias and their warnings about everything on you know in the web route right they're not going to create a separate sub folder for this stuff and you know potentially leave everything that was in this website on tact in the root folder i mean i'm just assuming that that's what's going on here you know i can't i can't know for sure but um yeah it's it's just a really suspicious way of them doing this especially when right like they already seized one of these group sites and they already used the same image um all of the text and all of the links are the same so it it seems very odd that um you know the feds would keep everything the same except for the sub folder that they put their law enforcement insignias in alph v is also offering to sell their ransomware tools on some dark web hacker forums but that doesn't necessarily indicate an exit scam they're probably just worried that security researchers have copies of their old malware in their labs and that they're analyzing them and so they might be less effective in the future as iocs and other signatures related to that specific malware strain get added to the signature databases of various security appliances obviously a professional group like alph v is going to want to use new undetectable malware whenever possible and so maybe they just want to make some you know extra change on the side by selling old ransomware to script kiddies that stole their mom's credit card but time is going to tell us what really happened here i'm sure the doj fbi and other alphabet agencies are gonna come out bragging about how they took down alph v for good if that's really what happened here uh but you know getting a big payout and then just poof disappearing from the face of the earth is pretty par for the course both in old school bank robberies and amongst dark web vendors so it doesn't seem that far-fetched that one of the most skilled fraud gangs on the dark web would do the same thing i guess we'll find out in the near future but if you enjoyed this video please like and share it to hack the algorithm and support my work by shopping on based dot win my online store where you can get awesome merch and save 10 off your entire order of checkout by paying in manero xmr we also accept bitcoin litecoin and ethereum if any of your bags are up in this bull run you can use them for shopping on base dot win as well have a great rest of your day