One of the most prolific ransomware-as-a-service (RaaS) groups operating today has suffered online disruption which intelligence experts have attributed to police action.
Cyber-threat intelligence firm RedSense said in a post on X (formerly Twitter) on Friday that it could “confirm” the leak site belonging to ALPHV (aka BlackCat) had been taken down by law enforcement.
However, it appears to be basing this judgement not on direct knowledge of any police action, but intelligence gathered from the cybercrime community.
“RedSense chief research officer, Yelisey Bohuslavkiy, confirms that the threat actors, including #BlackCat’s affiliates and initial access brokers, are convinced that the shutdown was caused by a law enforcement action,” it noted.
“He specifies that other ransomware leadership from the top-tier groups directly related to #ALPHV also confirm this: specifically, admins and team leads of #Royal/#BlackSuit, #BlackBasta, #LockBit, and #Akira.”
Today, RedSense can confirm that #ALPHV aka #BlackCat ransomware gang’s site has been taken down by law enforcement @4D435A pic.twitter.com/ydx5irW86N
— RedSense (@RedSenseIntel) December 8, 2023
However, the group itself has maintained that disruption to its public-facing leak site and payment infrastructure is simply down to unspecified “hosting” issues.
“The admin of AlphV did not provide coherent explanation during the RedSense threat actor engagement, though it may be related to the admin denying the LE action due to reputation concerns,” RedSense tweeted. “The current status of the group is ‘Everything will work soon.’”
The BlackCat Brand is Finished
MalwareHunterTeam, which runs the ID Ransomware initiative, argued that even if the issue wasn’t caused by law enforcement, the ALPHV/BlackCat brand is effectively “finished” as any serious affiliates or initial access brokers would likely part company due to the lengthy service outage.
Threat intelligence firm ReliaQuest said any disruption at the RaaS group would have a knock-on effect.
“This disruption would force affiliates to move on to other ransomware affiliate programs or develop their own,” it wrote in a short blog post.
“Previously, these types of law enforcement actions have resulted in affiliates spreading into new affiliate programs, bringing in experience from previous programs. For example, ALPHV themselves are believed to have been formed from previous affiliates of the ransomware groups DarkSide and BlackMatter.”
ALPHV made headlines recently when it, or an affiliate, reported one of their victims to the US Securities and Exchange Commission (SEC), in a bid to pressure payment.
One of ALPHV’s most written-about affiliates is Scattered Spider, which has been tied to the MGM Resorts and Caesars Entertainment breaches.
Read more on BlackCat: BlackCat Ransomware Gang Targets Businesses Via Google Ads