Has the digital reign of terror from the world’s second most active ransomware group, ALPHV (BlackCat), come to an end, or hasn’t it?
If you ask the coalition of global police forces that recently seized its infrastructure, you’ll get a clear yes in answer to that question.
The first sign that ALPHV was in trouble came on Dec. 7 when the dark websites used by the group to publish data leaks and conduct ransomware negotiations suddenly disappeared. This is highly unusual—dark websites used by ransomware groups are a vital piece of infrastructure necessary for their business model. Without it, they can no longer communicate or negotiate ransoms.
This implied that ALPHV had been disrupted by some kind of police action. On Dec. 19, confirmation came of this when the U.S. Department of Justice (DOJ) announced that an international operation had seized the group’s servers.
To rub it in, anyone visiting the group’s darknet domain would’ve received the message “this domain has been seized” alongside the logo of the U.S. Justice Department.
Game over, surely.
But ALPHV didn’t achieve its level of stardom and notoriety by sitting on its hands. On Dec. 19, its domain reportedly resurrected itself with the defiant message “THIS WEBSITE HAS BEEN UNSEIZED.”
That only lasted two hours before the DOJ regained control, but the back and forth demonstrated something previously unseen in cybercrime takedowns—the criminals fighting back.
Bizarrely, in retaliation the group said it had also removed restraints on its affiliates from attacking critical national infrastructure (CNI) such as hospitals—as if that wasn’t already happening on a regular basis anyway.
Bites the Dust
Regardless, this is still a big blow for ALPHV.
In November 2023 the group felt cocky enough to report one of its claimed victims to the U.S. Securities and Exchange Commission (SEC) for failing to report a cybersecurity incident.
As we reported at the time, it was a cheeky but creative tactic to generate publicity for a Ransomware-as-a-Service (RaaS) platform that has been one of the biggest menaces in ransomware since it first appeared in late 2021.
We now know from the DOJ that even as it was pursuing this unusual campaign the ALPHV (at least in its current form) was living on borrowed time for several months.
It seems that police penetrated the group’s infrastructure some time ago and have been quietly assessing its inner workings to gather additional intelligence. Although presumably this allowed the group to continue targeting victims, it would also have given the authorities deeper insight into its wider operations.
This isn’t just a detail. The group is believed to have used several names over the years, including DarkSide, which was disrupted by police in June 2021, and as BlackMatter, whose encryption tool was cracked by a security company a few months later.
What’s to stop ALPHV from simply starting up for a third time under yet another name? Beyond the hit to its reputation, not much. However, it’s also possible that the longer police operation might have yielded the sort of intelligence that will make that harder this time.
How did the police get so deep inside a major ransomware platform? It’s unlikely we’ll ever know but it’s perhaps not entirely coincidental that the State Department has in recent times started offering hefty bounties under the TOCRP program for information on prominent groups to the tune of $10 million a pop.
That’s a drop in the ocean for a ransomware group, perhaps, but a decent payday for a motivated insider willing to turn stool pigeon.
File Recovery
What the latest takedown means for victims is that the FBI has retrieved the decryption keys that will allow 500 hundred of ALPHV’s victims to recover their files. This was equivalent to ransoms totaling $68 million, the U.S. authorities said.
If there’s a wrinkle in all this good news, it’s that decrypting files is no longer the whole story with today’s ransomware. More damaging is the theft of private data during these attacks which is now gone forever and unretrievable.
The takedown of ALPHV was an unexpected gift but no police action will ever bring data back after the fact.
