The ALPHV/BlackCat takedown shuffle.
the cyberwire logoDec 20, 2023

It's up, maybe it's down, no, for sure it's down, then up again, and finally down. For now.

The ALPHV/BlackCat takedown shuffle.

The ALPHV/BlackCat ransomware gang was the subject of a rumored, then confirmed takedown, and then of a rumored, later confirmed, ultimately reversed restoration.

ZeroFox recently published a useful overview of the BlackCat/ALPHV ransomware-as-a-service operation. The gang was responsible for around ten percent of all ransomware and data extortion attacks observed between January 2022 and October 2023, which has represented considerable C2C market share even as competition tightened.

Takedown of ALPHV/BlackCat's darkweb dumpsite confirmed.

ALPHV/BlackCat’s servers and website were intermittently unavailable last week. The gang put this down to technical difficulties, but rumors quickly spread that a law enforcement operation was seizing control of the gang's infrastructure.

Those rumors were confirmed this morning. The US Department of Justice announced that it had indeed taken part in an international action against the ransomware-as-a-service gang. The FBI has developed a decryption tool that it's already provided to more than five-hundred victims of the gang, and the Department of Justice encourages other victims to come forward for assistance.

TechCrunch reported that the site has been replaced by a splashpage that reads, in part, "“The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against ALPHV Blackcat Ransomware.” The FBI worked in concert with partners from Germany, Australia, the EU, and the UK. The Record notes that the splashpage includes the US State Department's Rewards for Justice program, which suggests that the takedown isn't the end of the manhunt.

Seized, unseized, and seized again.

Within hours, however, there were signs that the takedown itself had become unstable, or at least disputed. Kevin Beaumont @GossiTheDog posted to his Mastodon channel at 12:58 PM that BlackCat had retaken control of its seized site. "THIS WEBSITE HAS BEEN UNSEIZED!" the gang crowed, introducing its reassertion of control with a ringmasterish "Ladies and gentlemen!" And then the FBI wrested back control.

BleepingComputer's founder, Lawrence Abrams, explained, also on Mastodon, "Both the FBI and ALPHV have the private keys associated with the Tor hidden service URL for the data leak site. Whoever is the latest to publish the hidden service on Tor (in this case the BlackCat data leak site), will resume control over the URL. Expect to see this type of back and forth over the next couple of days. As for the new victim update, that's on their new data leak URL." That said, the advantage lies with the FBI and its partners. As experts tell the Washington Post, the reputational damage alone ALPHV/BlackCat has sustained in the underworld will be difficult for the gang to manage. Its affiliates will be reluctant to work with the gang when it's been compromised to such an extent.

ALPHV/BlackCat is a Russian privateer, operating with the tolerance and permission of Moscow. Thus the communiqué the gang posted for the instruction of "Ladies and Gentlemen" contains an unsurprising bit of escalation. "Because of their actions," that is, the actions of the FBI and its international partners, "we are introducing new rules, or rather we are removing ALL rules except one, you cannot touch the CIS, you can now block hospitals, nuclear power plants, anything, anywhere." Just keep your noses clean and your hands to yourself, or rather, keep your hands on the goods of those countries in bad odor with the Kremlin. The CIS is the Confederation of Independent States, a semi-moribund bloc of former Soviet Republics. By their Cyrillic keyboards shall ye know them, those few who remain. So, just as long as you confine your banditry to the civilized world, everything's jake with ALPHV/BlackCat.

Thus ALPHV/BlackCat's web presence is much diminished, for now, but this isn't necessarily the end of the gang's road. ReliaQuest has followed the incident since the leaksite first showed signs of disruption, and the company's Michael McPherson, SVP of Technical Operations, wrote this morning, “The Justice Department has today confirmed law enforcement has disrupted the operations of the notorious ALPHV / Blackcat ransomware group. This explains the recent extended outage on the group’s infrastructure, with only sporadic activity of victims being named. The law enforcement action announced today serves as a body-blow to the ransomware ecosystem but it is by no means a knockout punch." Other such takedowns have usually led to a temporary disruption of ransomware activity followed by a resumption of criminal action as the gang members who remain at large reform and reconstitute their operations, often in a rebranded form. ALPHV itself is believed to have formed in this fashion from the remnants, possibly, of DarkSide, BlackMatter, and REvil.

(Added, 10:15 AM ET, December 20th, 2023.) Chris Grove, Director of Cybersecurity Strategy at industrial cybersecurity provider Nozomi Networks, offered some predictions on ALPHV/BlackCat's next moves. He thinks the gang's call for open season on all non-CIS targets should be taken seriously:

"Given ALPHV’s new stance, there is a real possibility of an increase in cyberattacks on critical infrastructure. Organizations operating critical infrastructure should be on heightened alert, as these developments could re-awaken a dormant phase in cybercriminal tactics where CI is fair play. Although this group's operations are degraded, they might act out of desperation to maintain their image as a safe system for hackers to leverage for their criminal activities. In a short period of time they’ve been able to pull in $300 Million to fund these types of operations, something they will fight for at the expense of our society’s safety and peace.

"I expect to see continued efforts from the DOJ to counteract and mitigate the threats posed by ransomware groups like ALPHV. If having a public ‘takedown’ countered by the gangs is where the story ends, it will undoubtedly reduce the fear of law enforcement within the criminal underworld – something the DOJ is unlikely to let happen. In terms of what happens next, it’s likely a cat-and-mouse game between law enforcement and members of this particular ransomware gang. From Darkside/DarkMatter to REvil to BlackCat and its affiliates, there are ongoing operations to dismantle the group’s network. It is also a signal to the cyber community that law enforcement is actively pursuing leads and looking to prevent further attacks."

The resilience of privateers (and ordinary organized criminals).

Before the rumors of a takedown were confirmed, Daniel Curtis, Senior Intelligence Analyst at ZeroFox, expressed the opinion that such a disruption would be unlikely to have a lasting effect on the criminal landscape. “Any disruption will very likely only result in a temporary suppression of the threat from its operatives,” Curtis said. “If unable to continue deploying the strain, ALPHV affiliates will very likely quickly pivot to other R&DE offerings and continue targeting victims at scale and at pace.”

Another industry expert who remarked on the resilience of the underworld, Dr. Ferhat Dikbiyik, Head of Research at Black Kite, had predicted that a large gang "like ALPHV" would be taken down. It came at least a month earlier than he'd expected (he called the shut-down for 2024). But Dikbiyik warns that this isn't necessarily the last the world will see of the gang. “Ransomware groups are like the mythical creature Hydra — when one head is cut off, two more appear. Despite reports that they are dismantled, AlphV has hinted that the group may recover or continue operating under a new name. But for now, AlphV/Black Cat claims that they are still operational. It seems that they will not go down easily and are even making bolder claims adding that except for the companies in CIS countries, all targets are allowed. As expected, they want to keep their affiliates, increasing the commission, opening up the target restrictions, etc."

Nonetheless, Dikbiyik thinks takedowns of this kind are well worthwhile. "For additional background, shutting down these groups has noted benefits:

  • "The new groups are not as powerful as the old ones due to reputational damage. Affiliates usually move on to other groups.
  • "Shutting down these groups sends a message to others. If they attack critical infrastructure (like DarkSide/Black Matter did during the Colonial Pipeline attack), they know they'll be on law enforcement's radar.
  • "Shutting down groups is a powerful deterrent. Some groups, like Hive, never recover after a shutdown. 

"However, shutting down sites should not be the only way to combat ransomware. The burden is on all of us, not just law enforcement. Cybersecurity professionals, vendors, and regulators must work together.” 

Sean McNee, VP of Research and Data at DomainTools, sees the action as representing a departure for law enforcement. "This takedown of ALPHV/Blackcat Ransomware-as-a-service group represents a notable shift in how the FBI operates against ransomware," McNee said. "No longer content only to investigate, the FBI and their law enforcement partners have now ‘released the hounds’ to identify, target, and mitigate the threats that Blackcat posed to individuals and organizations around the world. We applaud these efforts by law enforcement and hope that Blackcat and their affiliates who brazenly attacked higher education institutions, health care networks, and local governments are disrupted for a very long time."

Other experts also welcomed the enforcement action. Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, wrote, enthusiastically, "This is great news. Yet another ransomware purveyor disrupted. Even better, it's the second most popular ransomware gang and the FBI is proactively helping victims with a decryption tool. I didn't see where they identified any of the ransom hackers, and even so they are likely just to reform under another name. Still, anytime the good guys can disrupt the bad guys it's a great day for all that is good."

ReliaQuest's McPherson characterized the operation against ALPHV/BlackCat in boxing terms--points scored, but not a knockout. “The Justice Department has today confirmed law enforcement has disrupted the operations of the notorious ALPHV/BlackCat ransomware group. This explains the recent extended outage on the group’s infrastructure, with only sporadic activity of victims being named. The law enforcement action announced today serves as a body-blow to the ransomware ecosystem but it is by no means a knockout punch." The gang is metaphorically dizzy. "In the aftermath of such large-scale law enforcement disruptions, uncertainty permeates criminal organizations. In previous similar cases, the targeting of a ransomware group has typically resulted in operations ceasing, before members moved to other ransomware programs, or formed new groups. It is likely that this will spell the end of ALPHV as a criminal outfit. However, as noteworthy as this disruption is, there is no mention of any corresponding arrests." 

McPherson finds the FBI's decryption tool particularly noteworthy. "It is significant however, that the FBI has helped as many as 500 victims with a decryption tool. Decryption tools allow victims to potentially avoid paying significant ransom amounts and enables them to restore systems to normal activity. The ability for the FBI to do this undermines the credibility/capability of cyber-criminal organizations and bolster’s the FBI’s plea for victims to report potential compromises as soon as possible. The Department of Justice continues their 'hack the hacker' campaign to demonstrate the law enforcement community has offensive tools at their disposal and will not rely on a solely-defensive posture."  

Unfortunately, even if the organized gang should be knocked out, absent arrests, the criminal talent will find other scope for their misapplied talent. "The biggest impact of a potential permanent removal of ALPHV is likely to be a significant short-term disruption to ransomware globally. ALPHV is one of the more prominent ransomware groups in operation, tracked by ReliaQuest as the 3rd most active in Q3 2023. The removal of ALPHV from the ransomware landscape will undoubtedly leave a temporary void, before members flock to other groups. This is unfortunately a common outcome following law enforcement operation, reflecting the ongoing game of Whack-A-Mole in law enforcement attempting to provide a meaningful impact against this pernicious form of cybercrime.”

Those interested in details of threat ALPHV/BlackCat posed, and actions they might take to reduce their exposure to that threat, may consult CISA's joint Cybersecurity Advisory, #StopRansomware: ALPHV Blackcat.

(Added, 3:00 PM ET, December 21st, 2023.) Steve Stone at Rubrik Zero Labs sees the takedown as an instance of governments’ intention to act against ransomware-as-a-service operations. "This latest takedown of the notorious ALPHV ransomware group signals an intent by multiple governments to continue targeting these criminal enterprises,” he wrote in emailed comments. He sees the importance of international and interagency cooperation as the principal lesson of these enforcement actions. “While debate persists about whether such actions curb ransomware groups in the long term, these coordinated efforts produce invaluable impacts no single organization could achieve alone. Takedowns force threat actors to reconstitute under new names and rebuild technical infrastructure from scratch–actions that divert significant time and resources away from criminal operations. Recent examples like the months-long disruption of Qakbot show how some groups struggle to restore operations after takedowns. While Qakbot ultimately returned, it took nearly three months to rebuild technical infrastructure and restore capabilities. Importantly, ALPHV's claim to have 'unseized' their site misunderstands the nature of .onion addresses, which are tied to encryption keys held by site operators. The governmental coalition maintains complete control of ALPHV's leak site and data. Overall, these actions showcase the power of global cooperation against digital extortion, and underscore the importance of cyber resilience for all organizations while governments dismantle ransomware's underlying ecosystem."

A possible merger with rival LockBit.

(Added, 10:30 PM ET, December 22nd, 2023.) The Cyber Express reports that ALPHV and LockBit announced late this week their intention to form a ransomware cartel. It's a gesture toward honor among thieves, and a gesture toward some prospect of continued criminal survival. “The FBI doesn’t catch us alone; it joins forces with all the special services in the world; we have to do the same,” LockBit said, and its former criminal rivals in ALPHV responded, “LockBit’s right, we should all join a cartel or they’ll hunt us down one by one.” Whether numbers will bring strength or simply present a larger, more consolidated target to law enforcement is unclear.

eSentire's Threat Response Unit (TRU) sent us comments on this proposed gangland merger, noting that there are longstanding business relationships in the C2C economy that will themselves be affected by any such consolidaion. "One of the ALPHV/BlackCat Ransomware Gang’s most loyal and longtime affiliates is the Gootloader cybercrime group. The Gootloader operators, like the leaders of the ALPHV/BlackCat Group, are Russian-speaking, and they have been running sophisticated, meticulously-planned attack campaigns, non-stop, for the past three and a half years and have been in existence for over five years. The Gootloader operation infects about 30 computers a day on average with their initial-access-malware. After they get a foothold into their victim’s IT network, they often hit their victims with the ALPHV/BlackCat ransomware. ALPHV/BlackCat has been Gootloader’s 'go-to ransomware' since the ransomware group emerged in November 2021. How will law enforcement’s activities against the ALPHV/BlackCat Ransomware Group affect the Gootloader Operation, one of the ALPHV/BlackCat’s most loyal affiliates?"

And Keegan Keplinger, Sr. Security Researcher with the TRU, described the state of ALPHV at week's end and the prospects of a rebranding. “As of Dec 21, ALPHV still has a blog site up and running and they posted a new victim as recently as December 20," Keplinger wrote, "alongside several other recent victims, who had appeared previously on their main data leak site. Whether or not the ALPHV ransomware group rebrands to a new ransomware or not, it's likely they'll maintain most of their affiliate relationships to some degree. Because they face disruption efforts, some affiliates may be cautious not to invest time and energy into operations that may be disrupted or sanctioned from ransomware payments. However, if ALPHV rebrands, they get to reset their heat meter with law enforcement while maintaining much of the relationships and reputation they’ve developed in the cybercrime market.”

Post script: How did the FBI gain the insight it needed to take down the site?

Put briefly, the Bureau had a snitch inside the gang.

The story is in the affidavit filed to request the search warrant the FBI obtained from the US District Court for the Southern District of Florida. "Law enforcement worked to make undercover contact with individuals who provided credentials to these panels. Specifically, law enforcement engaged a Confidential Human Source (“CHS”) who routinely provides reliable information related to ongoing cybercrime investigations. The CHS responded to an advertisement posted to a publicly-accessible online forum soliciting applicants for Blackcat affiliate positions. A member of the Blackcat Ransomware Group responded to the CHS and asked questions designed to gauge the CHS’s technical proficiency with network intrusion. The CHS responded to these questions to the Blackcat actor’s satisfaction. The Blackcat actor then provided the CHS with access credentials to a Blackcat affiliate panel, available at a unique Tor address. The CHS visited this page, confirmed that this was the log-in page for a Blackcat affiliate panel, and accessed the panel."

Privateers and other bad actors might well look over their shoulders. And when the opportunity presents itself, they might also have a stern heart-to-heart with their HR department.