A Major Ransomware Takedown Suffers a Strange Setback

“Law enforcement is moving a lot faster, but it is still not fast enough,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “It takes awhile to build a case and in the meantime these groups wreak havoc.”

Part of law enforcement’s delay in actually attempting to take down Alphv’s infrastructure may have been ongoing investigation into the actors behind the group. Alphv/BlackCat seems to have evolved from a gang known as BlackMatter, which, in turn, seemed to emerge as a recombination of the notorious Darkside ransomware group that targeted Colonial Pipeline in the US.

“This isn’t their first shit show. Unfortunately, it probably won’t be their last either,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “But Alphv’s partners in crime will be wondering what information law enforcement was able to collect and who does it implicate?”

The takedown effort involved collaboration and parallel investigations from multiple law enforcement agencies, including those in the United Kingdom, Australia, Germany, Spain, and Denmark. And the US Justice Department said Tuesday that a decryptor tool for the Alphv ransomware that was developed by the FBI has already helped more than 500 victims recover from attacks and avoid paying roughly $68 million in ransoms.

As ransomware groups rely more on a hybrid model in which much of their leverage for extortion comes from the threat that they will leak data stolen from victims, decryptors are only one of many tools needed to help victims avoid paying ransoms. But if Alphv says it is opening the floodgates for customers to use its ransomware for attacks on vital services like hospitals and nuclear plants, the existence of the decryptor is significant in how dangerous and disruptive that activity might be.

“The statement about targeting critical infrastructure is pretty concerning. This will be an ongoing battle, for sure. Law enforcement will have to aggressively roll out the decryption keys and tools for victims,” says Alex Leslie, a threat intelligence analyst at Recorded Future. “And data extortion is still on the table. Generally speaking data extortion wouldn’t be as disruptive in terms of a national security crisis in the short term, but who knows.”

A search warrant released by the the FBI says that law enforcement got login credentials for the ransomware gang’s platforms from a “confidential human source” with access to the group. Though it was not immediately clear how Alphv had “un-seized” its site following the law enforcement action, researchers began to coalesce around some theories on Tuesday afternoon. Since both the cybercriminals and law enforcement had access to the login keys, it’s possible that multiple sites were registered to the same Tor address or Alphv was able to add another registration and then point the site to servers that law enforcement does not control. Emsisoft’s Callow also notes that while it seems unlikely, it is also possible that law enforcement posted the “un-seize” note as part of its operation.

The US Justice Department noted Tuesday morning that people with information about Alphv/Blackcat and its affiliates should come forward and may still be may be eligible for a reward through the US State Department.