Ransomware gang ALPHV/BlackCat said Tuesday it was expanding the range of victims its network of affiliates could target to now include nuclear power plants, hospitals and critical infrastructure. The move is a high-profile escalation of the ransomware as a service (RaaS) criminal syndicate as it appears to be reacting to recent FBI enforcement activity.
The statement by ALPHV/BlackCat was posted to its leak site that had been offline since December 7, when it is believed to have been shuttered by law enforcement. On Tuesday, ALPHV/BlackCat's previously shuttered site briefly displayed an FBI seizure notice. Within hours, however, the site then displayed a note by the ransomware group claiming the site had been "unseized."
In a 233-word statement, written in the Russian language (and translated here using Google Translate), the threat actors stated, "Because of their actions, we are introducing new rules, or rather, we are removing ALL rules, except one, you cannot touch the CIS (critical infrastructure sectors), you can now block hospitals, nuclear power plants, anything, anywhere."
Researchers believe this statement gives affiliates of one of the largest RaaS gangs the green light to attack any target.
Actions by the RaaS group were likely sparked by a Tuesday press release by the FBI announcing it had seized several websites that ALPHV/BlackCat operated. The FBI also stated that it had developed a decryption tool to assist ALPHV/BlackCat victims in recovering data.
The FBI declined to comment in response to SC Media’s inquiries regarding the matter.
Fighting the scourge of ransomware
Cybersecurity experts who spoke with SC Media said the threats alluding to an expansion of targets by ALPHV/BlackCat should be taken seriously.
“The removal of restrictions on affiliates is an interesting threat, but it underscores the reality of this genre of crime,” said John Bambenek, president of Bambenek Consulting. “Arrests and prosecutions are essentially non-existent as the bulk of these individuals live in places that don’t cooperate with Western law enforcement and these threat actors know it.”
The incident underscores the escalating struggles by federal law enforcement agencies to clamp down on the criminal activity of ransomware gangs.
Feds reveal anti-ALPHV/BlackCat tactics
As part of the FBI investigation, the U.S. Department of Justice unsealed a warrant Tuesday that revealed how the FBI engaged a “confidential human source” to infiltrate deep web control panels used by ALPHV/BlackCat and its affiliates to coordinate and manage ransomware attacks. Through its investigation, the agency obtained 946 public/private key pairs for Tor sites ALPHV/BlackCat used to communicate with victims, leak stolen data and host affiliate panels, the warrant states.
The announcement also revealed that the FBI developed a decryption tool that can be used to recover the encrypted files of ALPHV/BlackCat ransomware victims. The agency said it is offering this tool to more than 500 affected victims and has already used the solution to save multiple victims from ransom demands totaling approximately $68 million.
“The ability for the FBI to do this undermines the credibility/capability of cyber-criminal organizations and bolsters the FBI’s pleas for victims to report potential compromises as soon as possible,” Michael McPherson, a former FBI agent and current senior vice president of technical operations at ReliaQuest, told SC Media.
ALPHV/BlackCat leak site seized
Speculation that the gang had been targeted by law enforcement arose over the last two weeks due to reports that the main leak site suddenly went offline. Malware sharing group VX-Underground posted on X on Dec. 10 stating ALPHV told it the outage was due to a “hardware failure.”
The FBI's press release states the FBI “has seized several websites that the group operated.” BleepingComputer reported that the FBI confirmed the earlier outage was due to a law enforcement operation. The website Hackread reported that a blog used by ALPHV/BlackCat to advertise its cyberattacks was still online.
“There is no indication that [authorities have] captured or detained any of the threat actors themselves,” noted BullWall Executive Vice President Steve Hahn in a comment to SC Media. “If this is the case, what they shut down was nothing more than a website and some servers. The threat actor group remains at large and it will be nothing more than a temporary setback until they prop up new infrastructure.”
More on ALPHV/BlackCat's claims
VX-Underground was among the first to share screenshots of the “unseized” ALPHV/BlackCat site on X, accompanied by a translation of the Russian-language message posted on the site.
ALPHV has ... unseized their domain?— vx-underground (@vxunderground) December 19, 2023
They claim the FBI compromised one of their domain controllers. Additionally, they state they are removing all rules from their affiliate program (omit the rule on targetting the CIS) - allowing affiliates to target critical infrastructure pic.twitter.com/ZoRvDVZn5k
The message states that the FBI gained access to one of ALPHV/BlackCat’s domain controllers but alleges all its other domain controllers were not accessed. The statement goes on to claim the FBI only has keys related to 400 victim companies from the last month and says more than 3,000 additional victims will not receive keys because of the law enforcement action.
DOJ efforts may have ‘unintended consequence’
ALPHV/BlackCat, the second largest ransomware-as-a-service provider according to the FBI, is known for its ruthless and sometimes unusual extortion tactics. For example, the group reported one of its own victims to the U.S. Securities and Exchange Commission (SEC) in November in an apparent attempt to piggyback on new breach disclosure rules.
Despite the group reportedly stating it will lift a ban on critical infrastructure attacks, ALPHV/BlackCat affiliates have already targeted the healthcare sector in the past.
Panther Labs Field CISO Ken Westin said cybersecurity teams should be on alert as this situation develops.
“If this is true, organizations should be even more vigilant over the holidays, as this could be a perfect storm where security teams are downsized during the break while motivation to target critical systems has increased,” Westin stated.
Craig Harber, security evangelist at Open System, who has previous experience at the National Security Agency and USCYBERCOM, adds that a takedown of ALPHV/BlackCat’s leak sites would be an “inconvenience” for the group – and a potential headache for victims.
“There may be unintended consequence of disrupting communications between the hacker group and their victims,” Harber said. “If victims use the site to communicate with the hacker group, it delays their recovery until they can establish a new communication channel.”