In an unusual turn of events within the waters of the dark web, the Federal Bureau of Investigation (FBI) found itself entangled in a back-and-forth confrontation with the notorious
ALPHV/BlackCat ransomware gang. This unexpected clash marked a rare instance of a government agency engaging with a cybercriminal group, challenging the conventional narrative.
The FBI initiated a decisive move last year, a large scale takedown of the darknet website associated with the infamous ALPHV/BlackCat ransomware gang.
The seized website was promptly replaced with a splash page announcing the successful operation, forming part of the FBI’s comprehensive campaign to hault services offerred by the threat actor.
The ALPHV ransomware gang, also recognized as BlackCat, retaliated by regaining control over its dark website on multiple occasions. This triggered an intense back-and-forth struggle on the dark web, pitting the criminal syndicate against the formidable U.S. government agency.
Understanding the Turmoil: FBI’s Infiltration and Seizure
The Department of Justice, in a statement, disclosed details of its “disruption campaign,” revealing that a confidential source played a pivotal role in helping the FBI access more than 900 public/private key pairs controlling ALPHV ‘s darknet infrastructure.
This operation allowed the FBI to monitor the gang’s activities for months, culminating in the successful seizure of its websites in December. The ALPHV /BlackCat ransomware gang has been a prolific threat, earning $300 million in ransom proceeds from over 1,000 victims worldwide, as reported by the FBI.
As part of the intervention, the FBI obtained decryption keys, enabling the release of keys for approximately 500 affected organizations. This move facilitated these organizations in regaining control of their data, preventing an estimated $68 million in ransom demands.
The ALPHV ransomware group, identified as the second most prolific ransomware variant by NCC Group’s leak data statistics, had compromised over 1,000 entities globally, according to the FBI. This number surpassed previous estimates, indicating the extent of the cyber threat posed by the ALPHV gang.
In a conversation with TCE, vulnerability researcher and exploit developer, Alexandre Borges, shared his take on the effectiveness of law enforcement efforts against ransomware groups like LockBit. In his take, Alexandre says, “I really like the FBI approach because they do everything that is possible and expected according to laws. These criminals must be convicted and punished by their acts, and the only possible approach to extend the coverage is through joint task forces with other countries to condemn and restrict the movement of these criminals.”
ALPHV ‘s Counteractions and Rule Changes
In response to the FBI’s actions, the ALPHV /BlackCat ransomware group initiated counteractions, including reclaiming control of its dark website multiple times. Notably, the group altered its rules for ransomware-as-a-service operations, expanding the scope of their attacks to include hospitals and nuclear power plants. This move marked a drastic shift in strategy, raising concerns about the potentially catastrophic consequences of their attacks.
The ALPHV ransomware gang also modified its affiliate program by increasing the cut to 90%, possibly as an incentive for affiliates to remain loyal. Interestingly, reports surfaced of the LockBit ransomware attempting to poach developers and affiliates from the ALPHV /BlackCat group, showcasing the competitive landscape within the cybercriminal ecosystem.
The Cybersecurity and Infrastructure Security Agency (CISA) highlighted that, as of September 2023, ALPHV ‘s affiliates had compromised over 1,000 entities, with nearly 75% located in the United States.
The group demanded over $500 million and received almost $300 million in ransom payments. The takedown of ALPHV was part of a broader effort that also targeted other significant cyber threats, including the Kingdom Market and the dismantling of 3,500 online fraudsters.
Dark Web Conversations and Solidarity Among Cybercriminals
In follow-up events, dark web conversations between the ALPHV ransomware group and LockBit revealed an unexpected level of professionalism and solidarity. Threat actors from both groups expressed understanding and support for each other, acknowledging the collective threat posed by law enforcement agencies, particularly the FBI. These conversations shed light on the intricate dynamics within the cybercriminal community and the shared challenges they face.
The takedown of the ALPHV ransomware gang involved a multinational effort, with the FBI collaborating with around a dozen agencies, including the U.S. Department of Justice, the U.S. Secret Service, Europol, and the German Federal Criminal Police Office.
Logos from the national police forces of Australia, Spain, Estonia, Austria’s Directorate of State Security and Intelligence, the United Kingdom’s National Crime Agency, and the Eastern Region Special Operations Unit were featured on the splash page. The U.S. Rewards for Justice Program’s logo, offering rewards for information contributing to national security, was also prominently displayed.
The ALPHV /BlackCat ransomware gang, notorious for its scale and impact, has evolved its techniques to elude defense systems. The FBI and CISA revealed that the group employs advanced social engineering techniques and open-source research to gain initial access to a target’s network. Affiliates pose as company IT or helpdesk staff, using phone calls or SMS messages to obtain credentials. The group utilizes live chat to convey demands and initiate processes for restoring encrypted files.
Decline in Ransom Payments and the Changing Nature of Cybercrime
The decline in ransom payments to cybercriminal organizations like ALPHV is attributed to multiple factors. Organizations are increasingly unwilling to pay criminals residing in certain countries or associated with sanction lists. Additionally, the dishonest and unscrupulous behavior of affiliates has further deterred victims from complying with extortion demands. The landscape of ransomware attacks is shifting, with organizations opting not to pay and restoring systems from backups becoming the norm.
The LockBit ransomware group recently expressed their perspective on the ALPHV situation and acknowledged the threat posed by the FBI. LockBit highlighted the vulnerability of its own dashboard and emphasized the need for enhanced security measures. The administrators affirmed their commitment to continue operations under the LockBit brand, even in the event of a hypothetical FBI hack.
Talking about taking a stand against ransomware groups, Alexandre said, “Ransomware groups, and LockBit in special, explore typical system failures such as employees using weak passwords, absent of MFA, vulnerable and unpatched operating system and programs, excess of privilege for daily applications, non-segmented networks, and misconfigured defense products.”
“The usual recommendation for Windows systems would be adopt measures as VBS and Credential Guard, reduce privileges of applications, use resources like AppLocker, have an efficient logging configuration including auditing and ETW, restrict exposed services on the Internet (RDP and SMB are obvious, but there are other ones), perform continuous scanning on the corporate network to detect possible vulnerabilities and exposed services, have a proven-effective real backup policies implemented and, the most important actions, provide employees with awareness training to prevent them been victimized by phishing attacks”, added Alexandre.
The takedown of the ALPHV /BlackCat ransomware gang by the FBI highlights the challenges faced by law enforcement agencies in combating these notorious hacker groups. As cyber criminals adapt and evolve, law enforcement agencies face the challenge of staying ahead in the cat-and-mouse game. The intricate dynamics among cybercriminal groups, as revealed in dark web conversations, provide insights into the motivations and challenges within the underground ecosystem.
Conclusion
The FBI’s takedown of the ALPHV /BlackCat ransomware gang marks a significant step in the ongoing battle against cybercrime. The collaborative effort involving multiple international agencies highlights the global nature of ransomware groups and the combined cybercrime market.
The evolving strategies of ransomware groups and the changing realm of ransom payments emphasize the need for continuous vigilance and adaptive cybersecurity measures to protect organizations and individuals from these malicious threats.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.