A Major Ransomware Takedown Suffers a Strange Setback

The United States Department of Justice said Tuesday that it worked with an international group of law enforcement agencies to conduct a takedown of infrastructure related to the notorious ransomware gang Alphv, also known as BlackCat.

In recent days researchers began noticing that the group's dark-web communication and leak site was having outages, but the attackers claimed that they had simply been dealing with hardware malfunctions. Then, Tuesday morning, a message splashed across the site read, “The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Alphv Blackcat Ransomware.”

In a twist Tuesday afternoon, the gang's dark-web site roared back to life with an image of a cartoon black cat in silhouette and a banner proclaiming, “THIS WEBSITE HAS BEEN UNSEIZED.” The message remained for roughly two hours before law enforcement seemed to get control of the situation and the takedown message returned.

Alphv has become increasingly audacious in recent months. The gang memorably filed a US Securities and Exchange Commission complaint in November, for example, alleging that the digital lender MeridianLink hadn't made the proper disclosures about a data breach that Alphv itself takes credit for perpetrating.

In retaliation against the law enforcement action, Alphv said on its briefly reanimated site that it was removing its targeting rules for criminal customers who want to use the group's ransomware to attack critical infrastructure.

The group and its affiliates have already been very aggressive in their operations. The Justice Department said that the gang has targeted more than 1,000 victims around the world—including some in US critical infrastructure—and that over the past 18 months Alphv has been “the second most prolific ransomware-as-a-service variant in the world,” raking in hundreds of millions of dollars from victims. Alphv's rampage has been extremely visible, causing disruptions to popular companies including MGM Resorts, and extorting massive payments from victims, like roughly $15 million from Caesars Entertainment. The targeting has also extended to health care and emergency services, defense companies, schools, manufacturing, and government entities.

Most PopularGearPS5 vs PS5 Slim: What’s the Difference, and Which One Should You Get?By Eric RavenscraftGear13 Great Couches You Can Order OnlineBy Louryn StrampeGearThe Best Portable Power StationsBy Simon HillGearThe Best Wireless Earbuds for Working OutBy Adrienne So

While Tuesday morning's law enforcement action was meant to deal a critical blow to the gang, it did not come with sanctions or indictments, and ultimately seemed to simply cap more than a year of pervasive and deeply consequential attacks. The fact that the gang briefly seemed to “unseize” the site on Tuesday afternoon only added to a sense of complexity about dealing with such cybercriminal actors, especially those who, like those behind Alphv, appear to be based in the relative safe haven of Russia.

“Law enforcement is moving a lot faster, but it is still not fast enough," says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “It takes a while to build a case, and in the meantime these groups wreak havoc.”

Part of the reason for law enforcement's delay in attempting to take down Alphv's infrastructure may have been an ongoing investigation into the actors behind the group. Alphv/BlackCat seems to have evolved from a gang known as BlackMatter, which, in turn, seemed to emerge as a recombination of the notorious Darkside ransomware group that targeted Colonial Pipeline in the US.

“This isn't their first shit show. Unfortunately, it probably won't be their last either,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “But Alphv's partners in crime will be wondering, what information law enforcement was able to collect? And who does it implicate?”

The takedown effort involved collaboration and parallel investigations from multiple law enforcement agencies, including those in the United Kingdom, Australia, Germany, Spain, and Denmark. The US Justice Department said Tuesday that a decryptor tool for the Alphv ransomware that was developed by the FBI has already helped more than 500 victims recover from attacks and avoid paying roughly $68 million in ransoms.

As ransomware groups rely more on a hybrid model, in which much of their leverage for extortion comes from the threat that they will leak data stolen from victims, decryptors are only one of many tools needed to help victims avoid paying ransoms. But Alphv's attempt on Tuesday afternoon to let its customers use its ransomware for attacks on vital services like hospitals and nuclear plants made the existence of the decryptor more significant, given how dangerous and disruptive that activity might be.

“The statement about targeting critical infrastructure is pretty concerning. This will be an ongoing battle, for sure. Law enforcement will have to aggressively roll out the decryption keys and tools for victims,” says Alex Leslie, a threat intelligence analyst at Recorded Future. “And data extortion is still on the table. Generally speaking, data extortion wouldn’t be as disruptive in terms of a national security crisis in the short term, but who knows.”

A search warrant released by the FBI says that law enforcement got login credentials for the ransomware gang's platforms from a “confidential human source” with access to the group. Though it was not immediately clear how Alphv had “unseized” its site following the law enforcement action, researchers began to coalesce around some theories on Tuesday afternoon. Since both the cybercriminals and law enforcement had access to the login keys, it's possible that multiple sites were registered to the same Tor address or that Alphv was able to add another registration and then point the site to servers that law enforcement did not control. In the same way, though, law enforcement's presumably deep access to the gang's infrastructure is likely what allowed it to retake the site.

The US Justice Department noted Tuesday morning that people with information about Alphv/Blackcat and its affiliates should come forward and may still be may be eligible for a reward through the US State Department.

Updated 12/19/23, 2:55 pm ET to reflect that law enforcement reestablished its control of Alphv's dark-web leak site.

About Lily Hay Newman

Check Also

Iranian Hackers Tried to Give Hacked Trump Campaign Emails to Dems

The week was dominated by news that thousands of pagers, walkie-talkies and other devices were …

Leave a Reply