Blackout for ALPHV: DOJ Shuts Down Notorious Ransomware Gang

The U.S. Department of Justice has announced the FBI’s successful infiltration into the infrastructure of the ransomware group ALPHV (BlackCat). This operation enabled agents to monitor the hackers’ actions and obtain decryption keys.

The incident came to light after the group’s negotiation and data leak sites on the Tor network abruptly ceased operations on December 7. The ALPHV administrators initially attributed the issue to hosting problems, but it soon became apparent that law enforcement action was the cause. The operation involved police and investigative agencies from the USA, Europol, Denmark, Germany, the United Kingdom, the Netherlands, Australia, Spain, and Austria.

According to a court order, a pivotal factor in the operation’s success was the recruitment of a confidential source. Responding to the group’s public call for affiliates and passing an interview with the cyber criminals, the source gained access credentials to ALPHV’s partner system on the Tor network. This access allowed law enforcement to study and oversee the group’s online actions.

The FBI, having gained access to the group’s servers, conducted several months of surveillance, simultaneously extracting decryption keys. This enabled the restoration of data for about 500 victims of the ransomware, avoiding ransom payments totaling approximately $68 million.

As part of the operation, the FBI also seized the domain of ALPHV’s data leak site, which now displays a notice of its confiscation. The site’s capture was made possible after the FBI obtained keys to access the Tor hidden services under which the site operated.

The disclosed search warrant reveals that law enforcement accessed the BlackCat network, identifying and collecting 946 pairs of public and private keys. These keys were used to manage victim communication sites, data leak platforms, and affiliate panels.

Following the disruption of ALPHV’s servers, the partners’ trust in the group diminished – some began to directly contact victims via email, bypassing the group’s Tor network platform. This is attributed to concerns that ALPHV’s infrastructure might have been compromised. It’s also noteworthy that the LockBit ransomware group saw the situation as an opportunity to expand its activities, inviting ALPHV affiliates to join them.

Since its inception in August 2020 under the name DarkSide, the group has repeatedly changed its name and tactics in response to law enforcement actions. After the attack on Colonial Pipeline in May 2021, the group was forced to cease its operations, only to resume under the name BlackMatter. However, this time, the group had to retreat after Emsisoft discovered a vulnerability in creating a decryptor, and the group’s servers were captured.

Since November 2021, the group has operated under the name ALPHV/BlackCat, continually refining its extortion methods. Likely, following this law enforcement operation, the group will again attempt to change its name and strategy.