December 11th saw some rumours online that the dark web blog & leak site of the AlphaV / Blackcat ransomware gang had been taken offline by law enforcement.
Checking the Tor site resulted in a timeout, indicating that the site was indeed out of action.
The X.com account @vxunderground shared some insight in that AlphaV admins had told them they were experiencing some hardware failures which necessitated taking the site offline for a while.
All had been quiet on this topic for the last week or so, until yesterday…
It now appears that the FBI in association with numerous other law enforcement agencies had indeed compromised the AlphaV network and managed to seize equipment used for hosting the ransomware gangs infrastructure.
At the same time the website seizure notice was posted, a press release appeared on the US Department for Justice website announcing not only the seizure of the domain, but also the release of a decryption tool to allow over 500 victims of the gang to recover their data.
A search warrant was also unsealed by the Southern District of Florida court which gives an insight into the operation that led to this event and it revealed that the agencies involved in the takedown were assisted by a Confidential Human Source (CHS) who provided access to the control panel systems used by the gangs affiliates.
The search warrant also details the lengths that law enforcement went to in order to be able to seize 946 encryption keys that has allowed them to produce the decryption tool which they have already distributed to approx. 400 victims of the gang.
Touched a nerve?
Shortly after the dark web site was seized by the FBI, the site was “unseized” by the AlphaV gang with a note saying that the site had been moved to a new address…
The new site currently has six victims posted – a far cry form the hundreds which were there before the FBI operation.
However that’s not quite how tor works. The original .onion address used by the gang can still be contacted – that is true, however so long as you own the signing key for the domain space, then you can re-publish a new site and tor will route traffic to the new location.
The infrastructure used by the address is seized, and hopefully it will not be long before law enforcement manage to get access to the data on those devices for further investigations.
It does look like the law enforcement activity has touched a nerve with the ransomware gang – the post on the website, when translated reveals that the gang are dropping their previous “rules” not to attack Critical Infrastructure, and in an attempt to encourage more affiliates to launch attacks , have raised their payment to 90% of whatever the affiliates can elicit from victims.
Other gangs are worried
The operation against AlphaV is a very significant one and sends a message to all other gangs that global law enforcement will continue to target and disrupt such activity and will seek to prosecute anyone involved in the criminal acts being perpetrated.
@vxunderground contacted the worlds biggest ransomware gang – Lockbit, to see what their opinions were – turns out they are quite concerned.
