Share this article on:
The ALPHV ransomware group has had its website taken down once again by the FBI and international allies just a day after it leaked data belonging to a US military contractor.
The ransomware group, which also goes by the name BlackCat, had reportedly listed Ultra Intelligence & Communications (I&C), a subsidiary of Ultra, a defence and security organisation based in Britain.
According to ALPHV, 30 gigabytes of data was stolen from I&C, including financial data, employee data and audit data, which the group claims relate to the North Atlantic Treaty Organisation (NATO), the FBI, Israel, Switzerland, and several defence organisations.
Additionally, Swiss media has reported that the stolen data includes contracts between I&C and the Swiss Department of Defence.
According to SwissInfo.ch, one of the leaked documents pertains to a contract between the Swiss Department of Defence and I&C for just under US$5 million, for which the contractor provided communications technology for the Air Force. The data also includes emails and receipts that timestamp the contract.
At the time of writing, I&C has not issued any statement on the issue.
Following ALPHV’s latest listing, Cyber Daily has observed that the ALPHV dark web leak site has been seized by the FBI, with the assistance of the Australian Federal Police (AFP) and other international law enforcement agencies.
“The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against ALPHV BlackCat Ransomware,” said the seizure notice.
“This action has been taken in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice with substantial assistance from Europol and Zentrale Kriminalinspektion Göttingen.”
The message on the leak site is the same as what appeared on the ALPHV site last year after the threat group suffered an ongoing site outage thanks to a coordinated effort led by the FBI.
As part of the campaign to bring down ALPHV, the FBI became an affiliate of the ALPHV ransomware group through work with a confidential human source.
This granted it access to the back-end affiliate panel, which allowed it to not only determine how the group operated but also secure private decryption keys.
“During this investigation, law enforcement gained visibility into the BlackCat ransomware group’s network,” according to an unsealed search warrant.
“As a result, the FBI identified and collected 946 public/private key pairs for Tor sites that the BlackCat ransomware group used to host victim communication sites, leak sites, and affiliate panels like the ones described above.”
With the keys, the FBI developed a decryptor to allow victims to restore encrypted systems without paying ALPHV a ransom, saving a collective US$68 million.
Additionally, the FBI, alongside international law enforcement agencies that assisted with the campaign (including the AFP), posted a seizure message on the leak site.
“The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against ALPHV BlackCat Ransomware,” it read.
The reappearance of the seized message may actually not be related to the I&C attack but rather be a continuation of the previous sting.
As both the FBI and APLHV have the private and public keys, both parties are able to hijack and steal the group’s dark web leak site URL from each other in a sort of digital tug-o-war.
Following last year’s sting, ALPHV promised to hit harder than it had been before, lifting rules on what it and its affiliates were able to target.
“Because of [the FBI’s] actions, we are introducing new rules, or rather removing ALL the rules except one, you can not touch the CIS [Commonwealth of Independent States], you can now block hospitals, nuclear power plants, anything and anywhere,” ALPHV said.