On December 19, 2023, one of the ALPHV/BlackCat ransomware sites was taken down by the FBI. The typical FBI banner now decorates its main, while other sites of the cybercrime gang are still online. This event is possibly related to the 5-day downtime of all the gang’s Darknet infrastructure a week ago.
ALPHV/BlackCat Ransomware Site Seized
At around 13:00 GMT, one of the BlackCat’s onionsites began returning the FBI banner, which states about the site being seized by law enforcement. But at the same time, other Darknet infrastructure is up and functioning, meaning that the seizure is likely local.
All this becomes more interesting when we remember the events which happened around ALPHV’s Darknet sites a week ago. Both the leak site and negotiation pages were down – just unresponsive, without any banners. At that point, a lot of cybersecurity newsletter started supposing this was a sign of the hackers being paid a visit by law enforcement. However, as the sites were back online in 5 days, it became clear that all these suppositions were false.
Or were they? Such a consequent website seizure, along with the ALPHV silence regarding the reasons for the previous downtime, make a lot of room for reflections. Most probably, there was something going on related to the FBI interruption, but hackers managed to escape and get the network infrastructure back up. This looks realistic since all the records regarding the previous victims are gone, as you can see above.
Before, we’ve seen the situation when the hackers’ sites were back up after the law enforcement interruption. Back in March 2023, an infamous BreachForums was taken down by the FBI after its admin was detained. Shortly after, another admin restarted the forum only to notify the users about what’s happening. This did not stop the inevitable – BF was taken down until the “reborn” led by the ShinyHackers.
FBI Seized ALPHV Darknet Site – The Trend Continuation?
All the hypotheses and comparisons aside, the network infrastructure takedowns is a new trend led by the FBI. QakBot infrastructure ruination, IPStorm botnet disruption, Trigona ransomware servers wiping – this is only a part of past and ongoing events of the same intention. And ALPHV sites seizure will accomplish this list beautifully.
Will that entirely stop the ransomware gang? Of course not. For large players, like the ALPHV is, recovery is just a matter of time, they have enough money to sustain an idle period. QakBot actually proves this by being back in business with the email spam campaign started on December 11, 2023. Nonetheless, for smaller cybercrime gangs, such a disruption may be a serious reason to stop the activity.
As there are currently no statements from either the FBI and ALPHV/BlackCat hackers, the story will unfold in new details pretty soon. I will update this post as new info will pop up – be sure to come back and check out.
UPD 12/19/23 14:00 GMT
Two more piece of information: official claims from ALPHV and the FBI’s press release, published on their official site. Let’s review them one by one.
In a chat with VX-Underground, hackers assure that nothing happened to their actively used web assets. The FBI took down “the blog they deleted a long time ago”, and the page they use now is on a different address. Though, as far as I remember, this “old” site was used as a mirror for some time. Even if it is true, there could be some remnants of info useful to the law enforcement.
What contrasts with hackers’ claims is the FBI press release, which states not only about the site takedown. Law enforcement offers the decryption tool to ALPHV victims from any country. Allegedly, they have developed the solution some time ago, and were offering it to all the victims through their and partners’ offices. Feds also say about having access to the group’s internal network. That is probably the reason for today’s takedown.
UPD 12/19/23 18:00 GMT
The seized website appears to be.. unseized. At least this is what it says now – with the BlackCat logo on top and a text note below. It is written in Russian, and partially repeats what they said to VX-Underground in the chat. But then some interesting things come into view:
Yes, as you can read above, to avenge the site seizure, ALPHV removes all the attack limitations. These are what is known as “ethical hacking rules” – no attacks on critical infrastructure, like hospitals, nuclear stations, and others. Not all gangs follow them, though most of the large and long-running ones do. But now, ALPHV appears to be out of this “club”, and will start attacking pretty much whatever.
After all, all I have to say is that some sort of chaos happens. How did the FBI get access to the site? How did ALPHV regain access? What’s the matter with decryption keys? Probably, we’ll see the explanation to this pretty soon.
UPD 12/19/23 20:00 GMT
The FBI banner is back. This are apparently historical events. Should we wait for the round 2 with the current leak site?