The ALPHV/BlackCat hacktivist group claims to have “liberated” its own darknet website – just hours after the FBI boasted it had taken it down.
The world of ransomware exploded with drama on Tuesday as the cat-and-mouse game between the FBI and the ALPHV/BlackCat ransomware group continues.
After a week of speculation, the U.S. Federal Bureau of Investigation (FBI) announced on the morning of Tuesday, December 19, that it had seized the darknet ransomware gang’s blog.
But the band appears to have been resurrected – if it was in any danger of being destroyed at all – and has announced that it has regained control of its own web domain.
The band informed their fans, “Ladies and gentlemen! We’ve moved here!” and published a fresh onion address.
vx-underground posted a screenshot of the band’s announcement on the X website.
Moreover, as a response to the FBI’s actions, the group also announced that its rules of engagement have officially changed and it will now allow other hacker groups to use its ransomware variant to attack critical U.S. infrastructure, something that has been banned in the past.
The ALPHV/BlackCat onion site mysteriously disappeared in early December, leading the online community to speculate (both good and bad) that either law enforcement had caught up with the hacker group or the removal was part of a planned rebranding.
“Uncertainty often reigns in criminal organizations after large-scale law enforcement breaches like this,” says Michael McPherson, senior vice president of technical operations at ReliaQuest.
McPherson – also a former FBI special agent – explained that “in previous similar cases, an attack on a ransomware group has typically resulted in the cessation of operations, after which its members moved on to other ransomware programs or formed new groups.”
“However, as remarkable as this disruption is, there is no mention of any related arrests,” he said.
Earlier on Tuesday, the group reached out to vx-underground, which has been posting updates on the saga, to dispel any rumors.
“The ALPHV ransomware group’s administrative team has contacted us to let us know that they have moved their servers and blogs,” vx-underground wrote on the X website.
The group, known for “laying out the case” in its online publications, also wrote a lengthy message to its followers explaining in detail its own version of the events leading up to the so-called twist of fate.
Critical infrastructure now freely available
“As you all know, the FBI has gotten the keys to our blog, and now we’re going to tell you how it all happened”
– wrote ALPHV/BlackCat on their “unclassified” leak site.
The group claims that the FBI gained access to one of their many domain controllers (DCs), possibly by hacking or working with DC hosts.
According to the group, the FBI was able to get their hands on decryption keys for about 400 companies, leaving another 3,000 companies stranded.
Speaking about the new set of rules, the group explained, “Now you can block hospitals, nuclear power plants, anything and anywhere.”
One exception was made: ‘You can’t touch CIS,'” the report said.
“Advertisers” (hackers who use the gang’s ransomware tools as a service) will now receive 90% of the ransom paid, and VIPs will get their own domain controller.
“Thank you for your experience, we will learn from our mistakes and work even harder, we look forward to your whining in chat rooms and asking for discounts that no longer exist,” the group concluded its message.
Meanwhile, on Tuesday, the FBI and the U.S. Cyber Security Infrastructure and Security Agency (CISA), which claims to have “cracked down on hackers,” revealed the gang’s numerous affiliates, their extensive networks, expertise and data extortion operations.
“As of September 2023, the FBI’s investigation puts the number of compromised organizations at more than 1,000 – more than half of them in the United States and about 250 outside the United States,” the release said.””
According to the U.S. Department of Justice, decryption keys provided to ALPHV/BlackCat victims around the world have allowed hundreds of businesses and schools to resume operations and medical and emergency services to come back online.
At the time of this report, the FBI and CISA have not reviewed the latest ALPHV/BlackCat claims.
Who are ALPHV/BlackCat.
“ALPHV is one of the most visible groups involved in ransomware development,” says McPherson.
ALPHV/BlackCat was first spotted in 2021. It is known to operate on a ransomware-as-a-service (RaaS) model, selling malware subscriptions to criminals.
The Russian-linked gang has been tracked by ReliaQuest as the third most active ransomware cartel, active in the third quarter of 2023, carrying out hundreds of attacks and causing more than $1 billion in damage in 2023 alone.
Known for its triple extortion tactics, the gang is responsible for the September ransomware attacks on MGM Resorts casinos in Las Vegas, as well as Caesars International, which was rumored to have paid a $15 million ransom to stay in business.
McPherson says the potential removal of ALPHV is likely to have only a short-term, albeit significant, impact on the global ransomware distribution scene.
“Unfortunately, this is a common outcome after a law enforcement operation, reflecting the ongoing game of Whac-A-Mole in law enforcement’s attempts to have a meaningful impact on this pernicious form of cybercrime,” McPherson said.