Feds Snarl ALPHV/BlackCat Ransomware Operation

Dark Web chatter indicates that Scattered Spider worked with the FBI to take down the BlackCat/ALPHV operation.

Black panther, panthera pardus, adult snarling, in defensive posture
Source: Imagebroker via Alamy Stock Photo

After nearly two weeks of speculation, the US Department of Justice has claimed credit for the takedown of ALPHV/BlackCat leak sites and infiltrating the ransomware group's network.

Experts speculate this could be a wrap for the ransomware group just in time for the holidays — sending its leadership into retirement and affiliates to try and find a new operator.

The FBI is also offering a free decryptor that it developed to help the more than 500 ALPHV/BlackCat victims it has identified to recover their systems.

According to the FBI warrant to search BlackCat property, unsealed today along with a DoJ announcement on the takedown, law enforcement was able to infiltrate the BlackCat operation with help from a confidential human source who applied with the group to become an affiliate. The informant was granted credentials to the ransomware group's dashboard used to manage breaches, extortion demands, and payments, giving law enforcement a way into the operation, the warrant said.

Did Scattered Spider Give Up BlackCat?

Just weeks ago, the FBI received criticism for not acting more quickly to arrest the brazen Scattered Spider group. But it could be that the cops were working another angle.

Yelisey Bohuslavskiy, chief research officer with RedSense, was among the first to publicly confirm that the BlackCat system outages were the result of law enforcement efforts, back on Dec. 8. He tells Dark Reading that ransomware ecosystem chatter is pointing to it being members of Scattered Spider who were working on the inside with the FBI.

"This sounds compelling, as the only thing needed for such operation is an access to blog and data servers which a member of Scattered Spider may have had," Bohuslavskiy says.

"Hack the Hacker" Ops Intended to Send a Message

"This action by law enforcement sends a very strong message to ALPHV affiliates and other threat actors," Charles Carmakal, Mandiant's consulting CTO for Google Cloud, explained to Dark Reading in an emailed comment. "Some of the ALPHV affiliates are still active however, including UNC3944 (Scattered Spider). We expect some affiliates will continue their intrusions as normal, but they will likely try to establish relationships with other ransomware-as-a-service (RaaS) programs for encryption, extortion, and victim-shaming support."

The DoJ refers to these types of cybersecurity law enforcement actions as "hack the hacker" operations, and according to Michael McPherson, a former FBI special agent currently with ReliaQuest, they are intended to send the message to cybercriminals everywhere that they could be next.

“The desired effect of a disruption is to keep the criminals looking over their shoulder," McPherson says. "Are they next? Are they already infiltrated by law enforcement?"

There's also the goal of undermining profitability for cybercrime gangs. McPherson added that law-enforcement organizations accept that it might not be realistic to expect a takedown to totally dismantle sophisticated cybercrime rings like BlackCat. Through these sophisticated "hack the hacker" takedowns they hope to at least slow them down and drive up the cost of committing cybercrimes.

Successful disruption of a group like BlackCat also signals to both current and potential victims that when they are breached by ransomware, there are viable alternatives to paying the extortion, McPherson says.

"Helping 500 victims with a decryption tool in this instance will hopefully show organizations that collaborating with law enforcement is a far better option than paying the criminals," he explains. "That said, ransomware remains highly profitable and it will not stop criminals trying their luck until the risk-reward dynamic changes.”

BlackCat's Ransomware Future Bleak

If history is any indicator, Bohuslavskiy is dubious the ALPHV/BlackCat operation will be able to recover from this takedown in any meaningful way.

"Based on the previous cases of law enforcement agencies, organized crime groups do not recover from a critical infrastructure hit like a blog takedown, as this leads to their existential failure," he explains. "The blog has everything, from encryption keys, to verified means of communications between group members."Bohuslavskiy predicts the ALPHV leadership will retire from the ransomware game after the FBI disruption.

"AlphV had a very small crew of top-tier pen testers. They have made enough money to retire now, and there are very few crime collectives which has enough reputation to attract people with such skills — namely ex-Conti collectives like BlackSuit or BlackBasta," he explains. "Since they won't have anywhere to go (LockBit is perceived as an extremely poorly government set up with an unstable admin and a comical support crew; Hive was dismantled, and smaller groups won't have enough money to pay the pentesters of this level), their logical path is to retire."

Making it easier to retire than continue the ransomware operation is precisely what the FBI was hoping to accomplish with the BlackCat/ALPHV operation."This is exactly why LEA is effective — it weaponizes the group's fatigue to the point of quitting," Bohuslavskiy adds. "And because there are very few capable people across the ransomware domain, as they quit, the ransomware ecosystem degrades."

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights