“Law enforcement is moving a lot faster, but it is still not fast enough,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “It takes a while to build a case, and in the meantime these groups wreak havoc.”
Part of the reason for law enforcement’s delay in attempting to take down Alphv’s infrastructure may have been an ongoing investigation into the actors behind the group. Alphv/BlackCat seems to have evolved from a gang known as BlackMatter, which, in turn, seemed to emerge as a recombination of the notorious Darkside ransomware group that targeted Colonial Pipeline in the US.
“This isn’t their first shit show. Unfortunately, it probably won’t be their last either,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “But Alphv’s partners in crime will be wondering, what information law enforcement was able to collect? And who does it implicate?”
The takedown effort involved collaboration and parallel investigations from multiple law enforcement agencies, including those in the United Kingdom, Australia, Germany, Spain, and Denmark. The US Justice Department said Tuesday that a decryptor tool for the Alphv ransomware that was developed by the FBI has already helped more than 500 victims recover from attacks and avoid paying roughly $68 million in ransoms.
As ransomware groups rely more on a hybrid model, in which much of their leverage for extortion comes from the threat that they will leak data stolen from victims, decryptors are only one of many tools needed to help victims avoid paying ransoms. But Alphv’s attempt on Tuesday afternoon to let its customers use its ransomware for attacks on vital services like hospitals and nuclear plants made the existence of the decryptor more significant, given how dangerous and disruptive that activity might be.
“The statement about targeting critical infrastructure is pretty concerning. This will be an ongoing battle, for sure. Law enforcement will have to aggressively roll out the decryption keys and tools for victims,” says Alex Leslie, a threat intelligence analyst at Recorded Future. “And data extortion is still on the table. Generally speaking, data extortion wouldn’t be as disruptive in terms of a national security crisis in the short term, but who knows.”
A search warrant released by the FBI says that law enforcement got login credentials for the ransomware gang’s platforms from a “confidential human source” with access to the group. Though it was not immediately clear how Alphv had “unseized” its site following the law enforcement action, researchers began to coalesce around some theories on Tuesday afternoon. Since both the cybercriminals and law enforcement had access to the login keys, it’s possible that multiple sites were registered to the same Tor address or that Alphv was able to add another registration and then point the site to servers that law enforcement did not control. In the same way, though, law enforcement’s presumably deep access to the gang’s infrastructure is likely what allowed it to retake the site.
The US Justice Department noted Tuesday morning that people with information about Alphv/Blackcat and its affiliates should come forward and may still be may be eligible for a reward through the US State Department.
Updated 12/19/23, 2:55 pm ET to reflect that law enforcement reestablished its control of Alphv’s dark-web leak site.