Share this article on:
It seems that one of the world’s most prolific ransomware gangs is finally throwing in the towel, with the ALPHV ransomware gang saying it cannot continue operations thanks to “the Feds” and taking its site offline.
ALPHV first took its site down earlier this week after it stole $22 million in ransomware earnings from one of its affiliates, who had recently attacked UnitedHealth subsidiary, Change Healthcare.
Now, it seems ALPHV is staging another law enforcement intervention by pretending the FBI seized its infrastructure and dark web leak site, as it did late last year.
The group changed its status on the Tox messaging platform yesterday (5 March) to “GG”, hinting at the operation’s end.
It now lists its malware source code for sale for a whopping $5 million.
“Selling source code for 5kk,” the group wrote.
Additionally, ALPHV administrators have announced on a hacker forum that they are closing down the group after law enforcement interrupted them.
“We decided to completely close the project, we can officially declare that the feds screwed us over,” it said in an email responding to the affected affiliate, who outed it for stealing $22 million.
“The source code will be sold, negotiations are already underway on this matter.”
Despite accusing the FBI of once again seizing its operation and taking its site down by displaying the website seizure banner that appeared on the site late last year after a global law enforcement operation, law enforcement agencies speaking with media have confirmed that they were not involved in the latest outage.
Speaking with BleepingComputer, the UK’s National Crime Agency (NCA) confirmed it had nothing to do with the fake seizure. The FBI reportedly declined comment.
According to ransomware expert Fabian Wosar, speaking with BleepingComputer, the group set up a Python SimpleHTTPServer to fake the seizure, which displayed a png of the old seizure banner that the group had archived.
“So they simply saved the takedown notice from the old leak site and spun up a Python HTTP server to serve it under their new leak site. Lazy,” Wosar told the publication.
Wosar also said that his Europol contacts declined involvement in the fake seizure.
Additionally, CrowdStrike head of counter adversary operations Adam Meyers told Cyber Daily that the evidence, or lack thereof, backing ALPHV’s claims suggests this is an exit scam.
“Based on currently available information – this appears to be an exit scam based on ALPHA SPIDER’s [the operator of the ALPHV ransomware-as-a-service] inability to provide evidence contradicting the accusations lodged against the adversary,” Meyers said.
“Additionally, LE organisations have not issued statements suggesting that they have compromised the newest ALPHV dedicated leak site (DLS), and there is a possibility that the seizure notice was directly copied from the seizure notice published to the old ALPHV DLS.
“The significant bitcoin transactions correspond to the ransom payment ALPHA SPIDER is accused of defrauding from an affiliate.”