The ALPHV data leak site, along with the Tor negotiation URLs shared with victims in ransom notes, went offline on 7th December and have yet to be restored.
Security researchers, including Yelisey Bohuslavkiy, chief research officer at RedSense, have hinted at a possible law enforcement operation targeting the group.
Bohuslavkiy said admins of other top-tier ransomware groups directly linked to ALPHV, including Royal/BlackSuit, BlackBasta and LockBit, confirmed law enforcement involvement in the takedown.
1/3: RedSense Chief Research Officer Yelisey Bohuslavkiy @Migdal_Eli confirms that the threat actors, including #BlackCat‘s affiliates and initial access brokers, are convinced that the shutdown was caused by a law enforcement action.
— RedSense (@RedSenseIntel) December 10, 2023
Despite these rumours, BlackCat’s leadership maintains that “everything will work soon.”
When contacted by BleepingComputer, the ALPHV admin mentioned server repairs, but provided no further details.
ReliaQuest, a security operations centre company, notes that BlackCat’s site has a history of intermittent connectivity issues, although the current outage is among the longest faced by the group.
Notably, no law enforcement agency has officially released information about an operation specifically targeting BlackCat.
ALPHV had previously dismissed the possibility of a takedown effort like the one that targeted the Hive ransomware group in January 2023.
Analysts at ReliaQuest speculate that this disruption could prompt hackers associated with BlackCat to seek new affiliations, or even establish their own ransomware gangs.
“The removal of this group from the ransomware landscape will undoubtedly leave a void, with its operators and affiliates likely moving to other ransomware groups or forming new groups,” said Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest.
The company noted that similar law enforcement actions in the past have resulted in the dispersal of affiliates into new programmes, bringing valuable experience from previous operations.
Who is BlackCat?
BlackCat first appeared in in late 2021 as a ransomware-as-a-service enterprise, offering lucrative payouts of up to 90% of ransom payments to attract affiliates.
The group is thought to have emerged when former affiliates of DarkSide and BlackMatter joined forces, underscoring the fluid and interconnected nature of the cybercriminal landscape.
BlackCat’s operators appear to be Russian speakers.
ReliaQuest noted that the ransomware operation’s leak website listed over 650 victims before being shut down, including major firms like Reddit, Western Digital, Swissport, MGM Resorts, and NCR.
The group recently made headlines for an apparent hack on financial software provider MeridianLink, claiming to have reported the victim to the US financial regulator, the SEC.
Law enforcement agencies globally have been increasingly targeting ransomware gangs in recent months.
Operations against groups like REvil, Hive, Qakbot and RagnarLocker exhibit the concerted efforts of Interpol, the FBI, and Europol to dismantle cybercriminal networks.
However, the challenge with such takedowns lies in the transient nature of cybercriminal operations.
Without arrests, individuals involved can easily set up new operations, especially when operating from jurisdictions like Russia that do not extradite their citizens.
Experts in the field emphasise the need for more effective strategies to dissuade ransomware actors, suggesting that the industry should explore innovative approaches beyond the traditional shutdown of infrastructure.
Wanda Parisien is a computing expert who navigates the vast landscape of hardware and software. With a focus on computer technology, software development, and industry trends, Wanda delivers informative content, tutorials, and analyses to keep readers updated on the latest in the world of computing.
