Days-long ALPHV outage sparks arrest speculations

ALPHV ransomware gang’s dark web blogs have been down since December 7th, prompting rumors that the gang either had its door knocked down or opted to rebrand once more.

The data leak and negotiation infrastructure of the notorious ALPHV cartel, also known as Black Cat, has been out for days, with cyber pundits saying the gang may have been busted.

Numerous threat researchers have been speculating as to why the gang’s infrastructure is down, as similar behavior was observed before other gangs were seized in the past.

“It is not uncommon for ransomware groups to have their infrastructure take extended periods offline, particularly in the aftermath of a law enforcement operation,” Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, told Cybernews.

Meanwhile, Yelisey Bohuslavkiy, chief research officer at RedSens, said that even ALPHV’s affiliates, crooks that use ALPHV-made malware to extort victims, were under the impression that a law enforcement action caused the “shutdown.”

According to vx-underground malware researchers, ALPHV said they’ve experienced “hardware failure on their server” and are migrating to another server.

Interestingly, the gang’s messaging account on Tox, an encrypted peer-to-peer messaging app, reportedly came back online late Sunday, early Monday. Even though ALPHV’s admins posted “everything is working,” the gang’s leak site was still down hours after the admins’ post.

While it’s unclear why ALPHV went online, Morgan stipulates the aftermath of a possible law enforcement infiltration in the gang would not look pretty.

“[…] in the aftermath of a possible law enforcement operation, uncertainty permeates a criminal organization. Members will be unclear on the level of compromise, taking action to otherwise reduce their exposure; this could result in infrastructure being taken offline by members, or otherwise directly as a result of the operation,” Morgan said.

However, in the second half of Monday the gang's website appeared to be coming back to life.

Trouble in gangster’s paradise?

According to Morgan, another reason why ALPHV is down could be internal bickering.

“Ransomware groups have previously commonly taken extended outages for developmental purposes, internal disputes between members, and other issues,” Morgan said.

The shutdown could also point to the gang opting to rebrand, which would hardly be the first time for ALPHV’s members. The FBI believes that the cartel is closely linked with the now-defunct Darkside and Blackmatter ransomware gangs.

Ransomware gangs rebrand for various reasons, from internal disputes to elevated interest from law enforcement.

Meanwhile, ALPHV has been very productive this year, gaining international attention after it and Scattered Spider attacked MGM Resorts International and Caesars Entertainment, causing the companies millions of dollars of damages.

Another big name the gang victimized recently is Henry Schein, a healthcare tech and product distribution business. The company continues to struggle with operations after it announced the ALPHV ransomware attack on the company in October.

According to Ransomlooker, the Cybernews’ ransomware monitoring tool, ALPHV was among the most active gangs in the last 12 months, victimizing over 320 organizations worldwide.

Updated on December 11 [03:20 PM GMT] with reports of ALPHV's blog coming back online.