BlackCat ransomware site down amidst rumours of law enforcement action
Though no agency has released information about an operation
The official leak website of the ALPHV ransomware group, aka BlackCat, has been offline for five days, fuelling speculation that law enforcement may have finally caught up with the prolific ransomware group.
The ALPHV data leak site, along with the Tor negotiation URLs shared with victims in ransom notes, went offline on 7th December and have yet to be restored.
Security researchers, including Yelisey Bohuslavkiy, chief research officer at RedSense, have hinted at a possible law enforcement operation targeting the group.
Bohuslavkiy said admins of other top-tier ransomware groups directly linked to ALPHV, including Royal/BlackSuit, BlackBasta and LockBit, confirmed law enforcement involvement in the takedown.
Despite these rumours, BlackCat's leadership maintains that "everything will work soon."
When contacted by BleepingComputer, the ALPHV admin mentioned server repairs, but provided no further details.
ReliaQuest, a security operations centre company, notes that BlackCat's site has a history of intermittent connectivity issues, although the current outage is among the longest faced by the group.
Notably, no law enforcement agency has officially released information about an operation specifically targeting BlackCat.
ALPHV had previously dismissed the possibility of a takedown effort like the one that targeted the Hive ransomware group in January 2023.
Analysts at ReliaQuest speculate that this disruption could prompt hackers associated with BlackCat to seek new affiliations, or even establish their own ransomware gangs.
"The removal of this group from the ransomware landscape will undoubtedly leave a void, with its operators and affiliates likely moving to other ransomware groups or forming new groups," said Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest.
The company noted that similar law enforcement actions in the past have resulted in the dispersal of affiliates into new programmes, bringing valuable experience from previous operations.
Who is BlackCat?
BlackCat first appeared in in late 2021 as a ransomware-as-a-service enterprise, offering lucrative payouts of up to 90% of ransom payments to attract affiliates.
The group is thought to have emerged when former affiliates of DarkSide and BlackMatter joined forces, underscoring the fluid and interconnected nature of the cybercriminal landscape.
BlackCat's operators appear to be Russian speakers.
ReliaQuest noted that the ransomware operation's leak website listed over 650 victims before being shut down, including major firms like Reddit, Western Digital, Swissport, MGM Resorts, and NCR.
The group recently made headlines for an apparent hack on financial software provider MeridianLink, claiming to have reported the victim to the US financial regulator, the SEC.
Law enforcement agencies globally have been increasingly targeting ransomware gangs in recent months.
Operations against groups like REvil, Hive, Qakbot and RagnarLocker exhibit the concerted efforts of Interpol, the FBI, and Europol to dismantle cybercriminal networks.
However, the challenge with such takedowns lies in the transient nature of cybercriminal operations.
Without arrests, individuals involved can easily set up new operations, especially when operating from jurisdictions like Russia that do not extradite their citizens.
Experts in the field emphasise the need for more effective strategies to dissuade ransomware actors, suggesting that the industry should explore innovative approaches beyond the traditional shutdown of infrastructure.