AlphV re-emerged within hours of a law enforcement takedown of its infrastructure on Tuesday, claiming it had “unseized” its data leak site, according to threat researchers’ dark web observations.
The prolific ransomware group named a new victim organization and updated a post on a previously claimed victim since the FBI and international law enforcement agencies announced the takedown, according to Dark Web Informer.
Law enforcement agencies re-seized AlphV’s site hours after the group re-appeared and the threat group quickly set up a new site, according to Brett Callow, threat analyst at Emsisoft.
While threat groups often reorganize with new infrastructure and rebrand themselves, the abrupt materialization of new threats and posts on AlphV’s data leak site was extraordinary, according to cybersecurity experts.
“This is the first time I can recall threat actors and law enforcement wrestling for control of a site,” Callow said.
The current status and capacity of AlphV’s operations are unclear.
AlphV, also known as BlackCat, has compromised more than 1,000 entities and received nearly $300 million in ransom payments as of September, making it the second-most prolific ransomware as a service group in the world, according to the FBI and the Cybersecurity and Infrastructure Security Agency.
The group, which first emerged 18 months ago, directly claimed responsibility for recent attacks against Norton Healthcare, Fidelity National Financial and Tipalti. AlphV’s affiliate Scattered Spider, which used the AlphV ransomware variant, is linked to major attacks against MGM Resorts, Caesars Entertainment and Clorox.
Almost 3 in 4 AlphV victims are U.S.-based organizations, according to federal authorities.
Callow described AlphV’s activities over the past 24 hours as a tactical error. “Given that their operation has been compromised, their business associates would have wanted them to burn the operation to the ground, not play tug-of-war with law enforcement,” Callow said.
Threat researchers remain confident that AlphV’s capabilities are diminished as a result of law enforcement actions, but warn of potential further harm.
“We've seen these kinds of outbursts from ransomware groups before when they are nabbed by law enforcement and it changes nothing,” said Allan Liska, threat intelligence analyst at Recorded Future. “AlphV and its affiliates have not exactly been a model of restraint to this point, so nothing is going to change.”
Liska characterized AlphV’s comeback as a technical workaround pertaining to the operation of .onion domains, which rely on a cryptographic key pair hosted on the server.
“When law enforcement seized the server, the AlphV operator was able to install the key pair on a new server and that is now where the domain points,” Liska said. “It doesn’t change the fact that law enforcement has their old server and likely all the data hosted on it.”
The threat group and the FBI possess the private keys necessary to host AlphV’s service on the Tor network, according to Secureworks’ Counter Threat Unit Research Team.
Law enforcement agencies’ efforts led to the development of a decryption tool that has allowed dozens of victims to restore their systems and avoid ransom demands totaling about $68 million, the FBI said Tuesday. The decryptor is available to more than 500 affected victim organizations globally.
The takedown and creation of a widely used decryptor is unequivocally good news, “but it also shows the Whac-A-Mole nature of these law enforcement operations,” Liska said. “They are important, but we need to find ways to do more.”
The FBI did not immediately respond to an inquiry about AlphV’s activities following the takedown.
“While disruptions like this are unlikely to have a lasting impact on the number of incidents, they’re nonetheless critically important and help ensure the problem doesn’t spiral further out of control pending governments implementing more permanent solutions,” Callow said. “Make no mistake, this was a big win for the good guys.”
