Fraud Management & Cybercrime , Ransomware

Ransomware Group Offline: Have Police Seized Alphv/BlackCat?

Prolific Ransomware Operation Tied to Big Hits Claims 'Everything Will Work Soon'
Ransomware Group Offline: Have Police Seized Alphv/BlackCat?
Did police seize the BlackCat/Alphv online infrastructure?

Chatter in the cybercrime underground suggests that the ongoing disruption of a ransomware group's data leak site and victim communications channel is due to a law enforcement operation.

See Also: The Cost of Underpreparedness to Your Business

The data leak site for the Russian-speaking Alphv ransomware group, aka BlackCat, as well as its Tox peer-to-peer instant messaging account, have remained offline since Thursday, researchers report.

"Threat actors, including BlackCat's affiliates and initial access brokers, are convinced that the shutdown was caused by a law enforcement action," said Yelisey Bohuslavskiy, chief research officer at New York-based threat intelligence firm Red Sense, on Sunday.

Or at least that's the opinion being voiced by the administrators of multiple other post-Conti ransomware groups - including Royal/BlackSuit, BlackBasta and Akira - as well as major rival LockBit, Bohuslavskiy said.

BlackCat's leadership is continuing to deny anything is wrong - likely out if concern for its reputation - and its site features no takedown notice from any law enforcement agency, he said. "The current status of the group is, 'Everything will work soon.'"

While the ransomware group's data leak site "has a history of connectivity issues, with periodic outages," the ongoing downtime "marks one of the longest disruptions the group has faced," security operations firm ReliaQuest said in a blog post.

Many Attacks Trace to Group

Security researchers said BlackCat has listed more than 650 victims on its data leak site since launching in November 2021 as a spinoff of the now-defunct Conti ransomware group. Not all ransomware groups run data leak sites, and the ones that do don't list all victims - only a subset of nonpaying victims.

If law enforcement is responsible for the disruption, that wouldn't be a surprise, especially because individuals associated with the group "did cross the line," Bohuslavskiy said. Two of the group's more high-profile recent victims in the U.S. were casino and hotel giants Caesars Enterprise and MGM Resorts. The group also regularly claims victims in the healthcare sector and appears to work with hackers based in America.

"It's one thing to be a Russian-based ransomware group, and it's another to penetrate the U.S. soil with essentially an affiliate branch, in the country," Bohuslavskiy said.

Over the past year, while LockBit again accounted for the largest number of known attacks tied to any group - 25% of all victim listings - BlackCat came in second, accounting for 11% of listings, and healthcare remained the sector most hit, Cisco Talos said in an annual review of cybercrime and cyberattack trends covering the 12-month period ending on Sept. 30.

Both ransomware operations have continued the pace of their efforts since then. In November, the monthly number of known attacks surged to 89 - a record - with LockBit and BlackCat each accounting for about one-fifth of known attacks, said cybersecurity firm BlackFog.

BlackCat's administrators run it as a ransomware-as-a-service operation, meaning affiliates use the group's crypto-locking malware and the operators keep a cut of every ransom that is paid. Understanding which individuals are behind any given attack remains challenging. Instead, security researchers tend to refer to clusters of activity, which in the case of BlackCat can involve Scattered Spider, which is also known as UNC3944, Scatter Swine, Muddled Libra and Roasted 0ktapus.

Attribution Shortcomings

Ransomware incident response firm Coveware warned against paying too much attention to any given group or cluster of activity, given the "fluidity" with which ransomware operations may come and go, while many of the players - administrators, affiliates, initial access brokers - stay the same.

"Cyber extortionists are able to brand shop between known ransomware-as-a-service operations or work as unbranded lone wolves," it said in a recent report. "We prefer to avoid the labels, and train our clients and readers on the 'how' and 'what' so they can defend themselves."

The potential disruption of BlackCat's operations by law enforcement follows the high-profile takedown of Hive in January, spearheaded by Dutch, German and U.S. law enforcement agencies. The FBI said Hive had deployed crypto-locking malware inside 1,500 organizations and received over $100 million in known ransom payments.

In October, a police operation knocked Ragnar Locker offline, a Russian-speaking, midlevel-tier operator that had launched in 2019, potentially as a Maze spinoff.

Seeking Disruptions That Stick

One ongoing challenge with these takedowns is that while they might inconvenience operators and affiliates, without arrests, the individuals involved can simply set up shop again. Because many groups operate from Russia, which never extradites its citizens, their members mostly operate beyond Western law enforcement.

In October, a suspected reboot of Hive called Hunters International appeared, although the operation's administrators claimed to be "a distinct entity that purchased Hive's source code," Marcelo Rivero, a ransomware specialist at security firm Malwarebytes, wrote last month in a research report.

Despite the denials, "the overlap in their malware's coding and functionality suggests a direct lineage from Hive," he said.

Finding better ways to make life difficult for individuals in the ransomware sphere is sorely needed, Ollie Whitehouse, CTO of Britain's National Cyber Security Center, said in a keynote speech at last week's Black Hat Europe conference in London.

"How do we employ a quantifiable cost on our adversaries? I'm not convinced that burning their infrastructure does much other than causing them to run a Terraform script against a whole new site," he said, referring to an open-source infrastructure-as-a-code tool used to quickly stand up cloud-based services.

Whitehouse said the industry needs better ways to "dissuade" adversaries by giving them "a teary, bad day in the office," although what those tactics might be remains "unclear to us - both on a human level as well as a technological level."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.