Defiant BlackCat Gang Stands Up New Site, Calls for Revenge Attacks

Ransomware group tries to claw back operations following FBI disruption, and lifts a previous ban on attacks against critical infrastructure in retaliation.

Black cat on computer screen
Source: Sari O'Neal via Alamy Stock Photo

BlackCat/ALPHV ransomware leaders claim they have restarted operations on the group's primary blog, despite the Department of Justice claim that it gained control of the site. Further, in retaliation for the law enforcement actions against the gang, they announced they have dropped a previous ban on cyberattacks against critical infrastructure.

BlackCat also claimed that, beyond "unseizing" the sites, the decryption key being offered by the FBI is outdated and from an older blog, according to a reading of the group's message from Dec. 19 by Flashpoint researchers.

It's a bold claim, but experts have their doubts about BlackCat's ability to mount such a quick comeback.

BlackCat Didn't 'Unseize' Its Blog

First, the data and server have indeed been seized by the FBI, and there are no takebacks, Steve Stone from Rubrik Zero Labs explains. Stone tells Dark Reading the idea of "seizing" and "unseizing" the site is being widely misunderstood in the public discourse.

"Put simply, the FBI and other law enforcement organizations have successfully seized control of a data repository and also took control of/took down the ALPHV site they used to run their ransomware-as-a-service (RaaS) operations," Stone says. "ALPHV has responded by spinning up a new server and applying their security key, which makes this the new site."

Next, the FBI will revert the new site to the old one already in their control, and the cycle continues, he predicts.

"The FBI then works to revert it to the original/seized one," Stone says. "Then ALPHV does it again, as we saw yesterday."

Heightened Critical Infrastructure Ransomware Threat

Meanwhile, the threat of fresh cyberattacks on critical infrastructure as a result of BlackCat's lifting of restrictions for its affiliates is very real, cybersecurity insiders warn.

"Given ALPHV's new stance, there is a real possibility of an increase in cyberattacks on critical infrastructure," says Chris Grove, director of cybersecurity strategy for Nozomi Networks. "Organizations operating critical infrastructure should be on heightened alert, as these developments could re-awaken a dormant phase in cybercriminal tactics where CI is fair play."

Ransomware is a lucrative business and BlackCat isn't likely to give it up without a fight, Grove adds.

"Although this group's operations are degraded, they might act out of desperation to maintain their image as a safe system for hackers to leverage for their criminal activities," Grove says. "In a short period of time they've been able to pull in $300 million to fund these types of operations, something they will fight for at the expense of our society's safety and peace."

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights