The notorious ALPHV/BlackCat ransomware gang and its dark website appear to have been seized, yet again, by law enforcement – but now rumors are surfacing that the Russian-linked cartel may have faked its own takedown.
It could be the greatest disappearing act in ransomware history, according to industry insiders.
Just one day after an ALPHV/BlackCat affiliate hacking group claims they were ghosted by the notorious cybercriminal gang over a $22 million ransom payment meant to be shared between the two – ALPHV appears to have now faked its own “ransomware death.”
Tuesday morning, the landing page of the group’s dark web blog showed a notice of seizure by the FBI.
“The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against ALPHV Blackcat ransomware,” reads the message on the gang’s leak site.
But this latest FBI signature seizure notice happens to be an exact replica of the one posted on the ALPHV/BlackCat leak site back on December 19th, also by the FBI.
From every word, sentence, and link to law enforcement logos and their placement, the screenshots are identical.
Back in December, the seizure of the gang’s servers was confirmed by the FBI, along with an official announcement and press release by the US Department of State describing the takedown.
Strangely, this time, crickets from the FBI and Europol, and a straight out denial from Britain's National Crime Agency (NCA).
"I can confirm any recent disruption to ALPHV infrastructure is not a result of NCA activity," a spokesperson for the Agency said.
Security expert @azalsecurity (aka CISO John Adam at Sparksoft Corporation), also fell for the bait-and-switch at first, but then reversed course and said he believed the notice was a fake.
“It appears that ALPHV’s blog is pointing to their old mirrored site that was indeed sized. At this time we do not have evidence of an actual second LE enforcement action,” he posted on X Tuesday.
ALPHV's 'classic exit scam'
The $22 million allegedly pocketed by ALPHV is said to be the ransom demand paid by the gang’s latest victim, UnitedHealth Group’s Change Healthcare, one of the largest health technology providers in the US.
The unresolved February 21st hack has created havoc for hospitals, healthcare providers, and pharmacies across the US since.
Meantime, the aforementioned disgruntled affiliates (represented by username “notchy”) were not the only hackers complaining on the dark web about ALPHV’s silent exit.
According to a cliff notes synopsis of the saga posted on X by malware repository vx-underground, the ALPHV administrative staff has been ignoring all their affiliates.
Later that same day (Sunday, March 4th), “‘Affiliate Plus’ ALPHV account holders expressed frustration that their accounts were suddenly closed - unable to perform their ransomware attacks,” vx -underground wrote.
Additionally, vx-underground said other security researchers had “indicated that the “HTML source code looks suspicious and they believe this is a phony FBI seizure page.”
In a further turn of events, on March 4th, ALPHV was seen on Tox (a messaging service used by ransomware criminals) selling its own signature source code for a measly $5 million, as first reported by @azalsecurity.
The BlackCat fire sale came about after a typically long and cryptic messaging thread – titled “Scam 20M” – was posted by the gang on RAMP, the Russian language dark market forum..
The post began as a response to the hacker group who had called ALPHV /BlackCat out for ‘non-payment on the joint ransom venture,” and then moved swiftly on to announce it was closing-up shop because the “feds screwed us over.”
X user and intel analyst @ddd1ms (Dmitry Smilyanets, PMD at Recorded Future) translated the post from Russian and posted on X.
“We decided to completely close the project, we can officially declare that t he [sic] feds screwed us over. The source code will be sold, negotiations are already underway on this matter. Thank you all for being with us. You can delete your account, I won't go to court again, we don't have other accounts on other forums, it's all fake,” ALPHV wrote.
Security researcher Will Thomas said the mysterious move "appears to be a classic exit scam," referring to when a ransomware group fakes its demise, confiscates affiliate funds, and then quietly rebrands under a fresh name.
"It would not be a surprise if they [ALPHV/BlackCat] return once more in the not-too-distant future," he said, noting that the group had already been pegged by security researchers as a revamp of the Russian cybercriminal group known as DarkSide.
Your email address will not be published. Required fields are markedmarked