Share this article on:
The infamous ALPHV hacking group has all but declared war after a disruption campaign took out its dark web leak site for almost a full week.
The threat group’s site was taken down on 7 December, with law enforcement recently confirming it was behind the outage.
The disruption campaign was an international operation led by the FBI, which brought down the ransomware gang after it worked with a confidential human source (CHS) that allowed it to become an affiliate of the ALPHV ransomware group (also known as BlackCat).
This granted it access to the back-end affiliate panel, which allowed it to not only determine how the group operated but also secure private decryption keys.
“During this investigation, law enforcement gained visibility into the BlackCat ransomware group’s network,” according to an unsealed search warrant.
“As a result, the FBI identified and collected 946 public/private key pairs for Tor sites that the BlackCat ransomware group used to host victim communication sites, leak sites, and affiliate panels like the ones described above.”
With the keys, the FBI developed a decryptor to allow victims to restore encrypted systems without paying ALPHV a ransom, saving a collective US$68 million.
Additionally, the FBI, alongside international law enforcement agencies that assisted with the campaign (including the Australian Federal Police), posted a seizure message on the leak site.
“The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against ALPHV BlackCat Ransomware,” it read.
While this warning has since disappeared, as both the FBI and ALPHV have the private and public keys, both parties are able to hijack and steal the URL from each other in a sort of digital tug-o-war.
Following the incident, ALPHV’s real affiliates have begun to lose trust in the threat group, with reports by BleepingComputer saying that they have been hesitant to use the leak site to contact victims and have instead been doing it directly via email.
It’s likely that this is because affiliates are fearful that law enforcement agencies have infiltrated the back end and could monitor their activity.
However, ALPHV is refusing to take the attack on its site lying down and has released a statement that says it will escalate and remove rules for its affiliates in a post that says, “This site has been unseized.”
It also said it believes that the FBI only secured keys for victims from the last six weeks.
“As you all know, the FBI got the keys to our blog, now we’ll tell you how it was,” the post said following translation from Russian to English.
“First, how it all happened, after examining their documents, we understand that they gained access to one of the DC, because all the other DC were untouched, it turns out that they somehow hacked one of our hosters, maybe even he himself helped them.
“The maximum that they have is the keys for the last month and a half, it’s about 400 companies, but now more than 3,000 companies will never receive their keys because of them.
“Because of their actions, we are introducing new rules, or rather removing ALL the rules except one, you can not touch the CIS [Commonwealth of Independent States], you can now block hospitals, nuclear power plants, anything and anywhere.”
The Commonwealth of Independent States is an intergovernmental agreement that was formed following the fall of the Soviet Union.
It also urged that it would not be bullied into providing discounts.
“The rate is now 90 per cent for all adverts,” it said.
“We do not give any discounts to companies, payment is strictly the amount that we specified.
“VIP advertisers receive their private affiliate program, which we raise only for them, on a separate DC, completely isolated from each other.
“Thank you for your experience, we will take into account our mistakes and work even harder, waiting for your whining in chat rooms and requests to make discounts that no longer exist.”
Other ransomware groups are capitalising on the lack of trust in ALPHV, with fellow Russia-based ransomware group LockBit inviting ALPHV and NoEscape affiliates to come join them.
“I appeal to all alpha and noescape advocates, if you have backups of the dtes of corps that were in the process of negotiations, you can pass this date to me, and we will post all the corps on my eternal blog,” said what appears to be a LockBit admin on the threat group’s blog.
“You can continue negotiations and complete all unfinished deals, although some transactions may have already been completed without your knowledge, but you will only find out about this after you are able to resume negotiations with the attacked companies.
“If alpha is everything, I invite an alpha coder to join me for cooperation.”
ALPHV, like LockBit, is one of the largest ransomware groups in operation. According to the FBI, the group had earned over US$300 million from more than 1,000 victims worldwide as of September this year.
Since the outage, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have released an advisory outlining the tactics and measures the group uses.
“Today [19 December], CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), #StopRansomware: ALPHV BlackCat, to disseminate known ALPHV BlackCat affiliates’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified through FBI investigations as recently as Dec. 6, 2023,” said CISA on its website.
“The advisory also provides updates to the FBI FLASH BlackCat/ALPHV Ransomware Indicators of Compromise released April 19, 2022.”
Both CISA and the FBI advise critical infrastructure operators to implement the recommendations in the advisory to mitigate the damage done by the ALPHV ransomware group.