Despite law enforcement efforts to take down the notorious ALPHV/BlackCat ransomware gang, the cybercriminals are not going down without a fight.
Latest developments have shown that the site that was supposedly ‘taken down’ by the FBI has now been ‘unseized.’
The US Department of Justice (DoJ) announced a technical operation against BlackCat on December 19, this was accompanied by a notice on the group's website stating its seizure by the FBI.
However, some hours later, the group responded with its own notice on the original main leak site.
A Tussle With the FBI
“We’re in a situation where law enforcement and the operators of BlackCat both have the private key to the Tor .onion site and are therefore able to create different sites at the same URL,” Tim Mitchell, a senior threat researcher at the Secureworks Counter Threat Unit, explained to Infosecurity.
“The site with the most recent changes is most likely the one visitors will be greeted with. Law enforcement may be reluctant to engage in a back-and-forth and as it might undermine perception of the effectiveness of their efforts.”
Tim West, head of cyber threat intelligence at WithSecure, said: “Seizing of dark web infrastructure works in a different manner to seizing web pages on the surface web. ‘Owners’ of a hostname will be able to publish on that hostname if the publisher holds the correct private key. If two entities hold the same private key, then they can essentially each update the resource - and jostle for control of the blog."
West explained that, in theory, two entities can hold the same private key by accident if hostnames clash, but the chances of this are mathematically remote, and both the FBI warrant and BlackCat’s commentary allude to the employment of an insider.
Commenting on social media, Alexander Leslie, a threat intelligence analyst at Recorded Future, said: “As long as ALPHV retains their private keys, they’ll still have access to the blog. They could also spin up a second server. It’s not some incredible feat of intellect.”
Mitchell commented: “The operators of BlackCat are maintaining active opposition to the law enforcement takedown attempt and are not going without a fight. This in itself is unusual. In most cases, ransomware groups will quietly disappear only to later re-emerge with a rebrand.”
Secureworks noted that on December 13, the group published the first victim to its new leak site. As of December 19, five victims were posted to the new site, demonstrating the group retained some operational capacity.
Threats to Critical Infrastructure
The notice BlackCat posted on the original main leak site was accompanied by a link to a new blog site and a Russian-language announcement that acknowledged the FBI’s action and threatened retribution.
In a translation of the message the ransomware gang stated that because of the actions of law enforcement ‘new rules’ were being introduced which allows for ALPHV affiliates to target critical infrastructure including hospitals and nuclear power plants.
However, many threat analysists acknowledge that the group has a documented history of attacking healthcare and energy infrastructure targets already.
Mitchell said, “Given that such activity appears more likely to bring law enforcement attention – which is why many groups explicitly avoid it – it seems unlikely that affiliates will choose to specifically target such organizations, especially as ransomware is a crime of opportunity for the most part and based on available access to victim networks.”
Leslie said that he believes this tactic is little more than ALPHV attempting to save face.
Speaking to Infosecurity, he said: "his “clap back” is intended to protect the ALPHV brand and double-down on its claims that “work is continuing as normal”, despite that being obviously not true.
An Attempt to Retain Affiliates
The ransomware gang has also moved to cut the cost of working with them and has banned discounts to companies it has exploited - payment is strictly the amount indicated by the criminals.
West commented: "ALPHV’s move to cut the cost of working with them, widen the pool of available targets and ban discounts is likely in an attempt to retain its affiliates with financial incentive, as affiliate trust in BlackCat’s operational security is almost certainly at an all-time low. It’s possible that this posturing is an attempt to save face, as disruption such as this by the FBI can be an existential threat to a ransomware families brand.”
It is notable that, at the time of writing, there is no evidence of arrests being made relating to members of the group.
Mitchell said this means the long-term effects of the disruption activity might be limited.
“Any affiliates who don't want to work with them anymore can most likely just move on to another group, like LockBit,” he concluded.
Leslie said: "As we’ve already seen on dark web forums, groups like LockBit are seeking to poach ALPHV affiliates — and even ALPHV developers — who are skeptical of the long-term viability of ALPHV."
Ultimately, the stability of BalckCat depends on its ability to retain its affiliates, many of whom will be seeking employment elsewhere in order to distance themselves from law enforcement activity.