ALPHV/BlackCat operation down, but maybe not out

A multinational, US-led operation has disrupted the operations of the ALPHV/BlackCat ransomware-as-a-service (RaaS) cartel, capping almost two weeks of speculation about the fate of the notorious cyber extortion operation, but at the same time causing more uncertainty as gang members move to minimise the impact.

A lengthy period of downtime for the BlackCat operation earlier in December had prompted speculation across the cyber security research community that the criminal gang had been disrupted or taken down by law enforcement agencies.

The gang’s Tor-based leak site first became inaccessible on Thursday 7 December and the outage persisted for several days, although for well over a week no law enforcement agency made any statement in regard to an action against the gang, which maintained that it was experiencing technical issues.

According to the takedown notice that initially replaced the gang’s leak site, the operation against BlackCat encompassed agencies from around the world, including Australia, Austria, Denmark, Germany, Spain, Switzerland and the UK’s National Crime Agency (NCA).

At the same time, tech experts at the FBI have developed a decryption tool for the gang’s ransomware locker, which has now been distributed to over 500 affected victims. According to the US Department of Justice, this has likely saved about $68m in ransom payments already.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” said US deputy attorney general Lisa Monaco.

“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and healthcare and emergency services were able to come back online. We will continue to prioritise disruptions and place victims at the centre of our strategy to dismantle the ecosystem fuelling cyber crime.”

Law enforcement win

Charles Carmakal, chief technology officer at Google Cloud’s Mandiant Consulting, said: “This is a huge win for law enforcement and the community. ALPHV was one of the most active ransomware-as-a-service programs and they worked with both Russian affiliates and English-speaking western affiliates.

“This action by law enforcement sends a very strong message to ALPHV affiliates and other threat actors. We anticipate continued law enforcement actions and wins throughout 2024.”

Does BlackCat have nine lives?

However, observed Carmakal, the disruption to the cartel’s operations may not yet extend across all of its affiliate groupings – those smaller players to which the core members sold the BlackCat locker in exchange for a cut of the profits.

“Some of the ALPHV affiliates are still active, however, including UNC3944 [Scattered Spider/Octo Tempest – the operation behind the September 2023 Las Vegas casino heists],” he said.

“We expect some affiliates will continue their intrusions as normal, but they will likely try to establish relationships with other RaaS programs for encryption, extortion, and victim shaming support,” said Carmakal.

Researchers from the Secureworks Counter Threat Unit (CTU) went further still, having uncovered evidence that in the two weeks that have passed since the disruption began, multiple other RaaS operators had offered to publish stolen data on behalf of BlackCat affiliates.

In one instance, said the CTU team, data stolen in a BlackCat attack which occurred just before 7 December was handed off to the INC ransomware crew to publish on their leak site.


More concerningly, said the CTU team, several hours after the official takedown notice was published, BlackCat – which it tracks as Gold Blazer – responded with its own notice on the same site, saying it had been “unseized”, suggesting it retains a private key needed to host the service on the Tor network. This announcement was visible because the Tor network directs clients to the service that most recently “announced” itself.

The notice redirected visitors to a new blog site and a Russian-language announcement acknowledging the law enforcement operation and threatening vengeance.

In the gang’s statement, translated by Secureworks using automated services, the gang said the FBI had gained access to one of its datacentres, possibly by hacking into or collaborating with one of its hosters.

At a maximum, claimed BlackCat, the FBI has decryption keys for 400 victims dating back to early November, but because of this, it said, over 3,000 victims “will never receive their keys”.

As a result of this, the criminals threated, it has removed all rules dictating what targets its affiliates may attack, with the exception of those in the former Soviet Union, and will not offer discounts to victims that negotiate.

As of Tuesday 19 December, five victims have been posted to the new leak site, said Secureworks.


Leave a Comment