International Law Enforcement Agencies Unite to Take Down ALPHV/Blackcat’s Darknet Website

In a move against cybercrime, the FBI, alongside various international law enforcement agencies, seized the darknet website of the notorious AlphV/Blackcat ransomware gang on December 19th. As reported by The Record, law enforcement credits the aid of a "confidential source" in facilitating the takedown of the notorious ransomware gang. Evidence of the takedown is the darknet site displaying a splash page declaring the seizure, stating, “The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against AlphV/Blackcat Ransomware.” This development comes after much speculation about potential law enforcement action, especially following the initial inaccessibility of the gang's site earlier in the month. RedSense Chief Research Officer Yelisey Bohuslavkiy first noted disruptions to AlphV/BlackCat's operations on December 7th, 2023. Despite initial denials from the ransomware gang's admins and claims of operational normalcy, the website, upon its brief return, lacked the previously published victim information used for extortion.

However, the initial efforts to take down the AlphV/Blackcat ransomware gang's website were not as straightforward as anticipated. On December 20th, the day following the seizure, control of the site fluctuated, oscillating between the FBI's seizure message and the gang's assertion of regaining control. This "tug of Tor," as The Record describes it, underscores the distinctive characteristics of .onion sites on the Tor network. Unlike standard websites, the domain of an onion service is a public key, and control hinges on the possession of the corresponding private key, potentially held by both the ransomware group and law enforcement.

In response to these law enforcement actions, the AlphV group has threatened to escalate their operations by lifting previously self-imposed restrictions on targeting critical institutions such as hospitals and nuclear power plants, specifically those outside the Commonwealth of Independent States. The future of AlphV remains uncertain. Security experts like Yelisey Bohuslavskiy and researcher Will Thomas (@BushidoToken) speculate that the gang may take time to recover and potentially rebrand. There's also a possibility that affiliates of AlphV might shift their allegiance to other notable ransomware-as-a-service (RaaS) gangs, such as LockBit. While, the disruption to cybercrime infrastructure is a win, without arrests it only delays threat activity until the operators can rebuild.

The execution of this operation is credited to the joint efforts of approximately a dozen agencies, including the U.S. Department of Justice, the U.S. Secret Service, Europol, and the German Federal Criminal Police Office, with notable support from Europol and Zentrale Kriminalinspektion Göttingen. The seizure announcement's splash page prominently displays logos of participating national police forces, such as those from Australia, Spain, Estonia, Austria’s Directorate of State Security and Intelligence, and the United Kingdom’s National Crime Agency and Eastern Region Special Operations Unit. The inclusion of the U.S. Rewards for Justice Program's logo on the splash page marks a first in such operations, underscoring the program's significant role in the fight against ransomware. This seizure is part of a series of recent victories for law enforcement in their ongoing battle against ransomware and cybercrime. These successes include the disruption of the QakBot infrastructure and the seizure of Ragnar Locker's infrastructure, marking a sustained and focused effort to combat cyber threats worldwide.