Ransomware Wars: FBI’s Takedown, Rogue Alliances, and Global Cyber Intrigues

It’s Threat Hunt Thursday!

Earlier in the current month, the BlackCat/ALPHV ransomware network experienced a significant disruption spanning five days within their Tor-based channels for data leaks and negotiations. This disturbance allegedly arose due to reported intervention by law enforcement agencies.

Recently, the FBI revealed its successful infiltration of the BlackCat/ALPHV ransomware operation, a criminal entity amassing an estimated $300 million from over 1,000 victims. Operating covertly, law enforcement acquired crucial decryption keys and gained private access to Tor while surveilling the ransomware group.

Utilizing the obtained decryption tools, authorities managed to decrypt data for 400 victims without levying any charges. Concurrently, they capitalized on Tor access to seize control of the gang’s data leak and negotiation platforms.

However, an ongoing struggle ensues between the threat actors and the FBI for ownership of the URL, as both parties possess identical keys.

Some observers perceive this ongoing URL ownership dispute as a lapse on the part of law enforcement. Nonetheless, the retrieval of 400 decryption keys and potentially more data from compromised servers has significantly marred the credibility of the ransomware operation.

According to reports from BleepingComputer, this development prompted certain affiliates to directly reach out to victims via email, citing a lack of trust in the ransomware group’s server security. There are rumors of others redirecting their support to competing ransomware operations like LockBit.

Interestingly, there have been discussions between LockBitSupp (the group behind LockBit) and the BlackCat operator, exploring the idea of forming an alliance to collectively challenge law enforcement.

Past instances of “ransomware cartels,” reportedly organized by groups like Maze, failed to bolster ransomware operations, evident from the arrest of gang members by Ukrainian authorities following a rebranding attempt as Egregor.

Furthermore, recent disclosures encompass various ransomware incidents:

• Akira claimed responsibility for a ransomware assault on Nissan Australia.
• A ransomware breach targeted ESO Solutions, compromising data belonging to 2.7 million individuals.
• The University of Buenos Aires (UBA) encountered a cyberattack involving ransomware.
• VF Corp, the parent company of Vans, North Face, and Supreme, fell victim to a ransomware attack.

Happy Hunting!
— threathuntress