As the week started there was still no official confirmation from law enforcement that the notorious ALPV/BlackCat site had been taken down.
Late last week, various research groups and news organizations reported, and RedSense on Dec. 8 confirmed, that law enforcement took down the ransomware group’s site, but short of official confirmation from the FBI or other law enforcement sources, it remains speculative.
Efforts by SC Media to gain confirmation from the FBI were unsuccessful.
A post on X by the vx-underground Dec. 10 said that they’ve had a dozen or so people ask about ALPHV and its sudden website outage. The vx-underground post said that they have not heard rumors of them being arrested, they also have not heard rumors of their servers being seized.
“The only mentions of these rumors are from other people asking us about these rumors,” said vx-underground. “We cannot comment the legitimacy of these claims because we have no way to substantiate them. ALPHV informed us they are experiencing hardware failure on their server. This is the second or third time this has happened to the best of our knowledge. It is our opinion that ALPHV is indeed experiencing issues with their hosting provider. But, this is just an opinion and we have been wrong many times.”
ALPHV/BlackCat, affiliates targeted by law enforcement
In a blog post Dec. 8, ReliaQuest said the cause of the ALPHV/BlackCat outage remains uncertain —whether it’s a result of a technical hosting issue by ALPHV operators or potentially a law enforcement action.
Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, said the biggest impact of a potential permanent removal of ALPHV is likely a significant short-term disruption to ransomware globally. ALPHV has become well-known as one of the more prominent ransomware groups in operation, tracked by ReliaQuest as the third most active in Q3 2023.
“The removal of this group from the ransomware landscape will undoubtedly leave a void, with its operators and affiliates likely moving to other ransomware groups or forming new groups,” said Morgan. “This is unfortunately a common outcome following law enforcement operation, reflecting the ongoing game of Whack-A-Mole in law enforcement attempting to provide a meaningful impact against this pernicious form of cybercrime.”
Craig Harber, security evangelist at Open Systems, said if it were a takedown of the leak site, it would be just an inconvenience for the ALPHA/BlackCat hacker group. Harber said they will reconstitute their capabilities on a new set of servers and continue their operations.
“From the victims' perspective, the takedown of the data leak site has little upside unless there's a recovery of the keys used to encrypt the victim's data,” said Harber. “Even if there's a recovery of the victim's data, there are most likely copies of that data still in the hands of the hacker group. Additionally, there may be the unintended consequence of disrupting communications between the hacker group and their victims. If victims use the site to communicate with the hacker group, it delays their recovery until they establish a new communication channel.”
Andrew Barrett, vice president at Coalfire, said it’s tricky because we only have rumors and speculation. Barrett said the FBI and CISA have been working on “Scattered Spider” take downs for a while, and they are a known affiliate of ALPHV/BlackCat, so there’s a possibility that the work from law enforcement has been successful.
“Threat intelligence company RedSense is making uncorroborated claims that site has been taken down by law enforcement,” said Barratt. “With opposing rumors of ‘maintenance’ windows abounding it’s likely worth closing watching the reporting feeds from both the FBI and CISA and international partners for a confirmation that this is their work.”