No matter how deeply the FBI penetrated the ALPHV ransomware gang’s dark web infrastructure, the cartel may struggle to prove to its team of racketeers that it can continue operating.
FBI’s notice of domain seizure on the ALPHV – also known as BlackCat – dark web blog may have been the nudge to send the cybercrime group responsible for a public hack of MGM Casinos tumbling down a proverbial cliff.
“Given the publicity this attack received and the money it costs MGM, it’s not all that surprising that law enforcement has targeted the gang. When cybercriminals carry out this level of destruction, they will always face repercussions,” Ryan McConechy, CTO of Barrier Networks, said.
Even though the gang’s not a goner yet – at the time of writing, three different ALPHV’s mirror sites display different results, with one seized by the FBI, one “unseized” by ALPHV, and one operational – finding new affiliates may be challenging.
Not only did the authorities release a decryptor for ALPHV’s ransomware, nullifying at least some of the affiliate’s time spent extorting victims, but they also showed that the gang is far from invincible.
“The FBI and its global law enforcement partners showed that they are actively targeting the infrastructure of ransomware gangs and will disrupt these activities,” Chris Pierson, CEO of BlackCloak, said.
How to lose affiliates
Fully operational or not, ALPHV faces a reputational crisis. Ransomware gangs operate by renting their signature malware to affiliates who are willing to take on the dirty work of deploying it and extorting organizations.
Even a whiff of law enforcement agents lurking in the gang’s ranks or infrastructure may suggest to cybercrooks that it’s time to look for a different outlet.
“This intervention has notably tarnished ALPHV’s reputation, casting doubt on the group’s ability to continue under the same brand,” Nataliia Zdrok, threat intelligence analyst at Binary Defense, said.
The gang’s tantrum after the FBI announcement, supposedly greenlighting targeting nuclear power plants and critical infrastructure, only shows its leaders are aware of the gravity of the situation.
As ALPHV threatened to breach the power plants, it also tried to charm new recruits, promising new affiliates could keep 90% of the ransom payment.
Piling on ALPHV’s troubles, another leading ransomware gang, LockBit, started recruiting its competitor’s affiliates and programmers almost immediately.
“LockBitSupp offered these affiliates the use of LockBit’s data leak site and negotiation panel, particularly if they had backups of stolen data. Additionally, efforts are underway to recruit the coder behind the ALPHV encryptor,” Zdrok told Cybernews.
The criminal whac-a-mole
As LockBit tries to pinch ALPHV’s talent, it also targets its tech – the source code of encryption malware.
Selling the malware is not unusual among ransomware cartels as, according to Zdrok, Hive, a now-defunct ransomware gang, opted to cash out after their infrastructure was seized.
“This incident could even lead to selling its malicious source code and arising new ransomware campaigns, following past trends. Simultaneously, its members might spread, joining other groups in the ransomware field,” Zdrok explained.
Some ALPHV affiliates, such as the Scattered Spider collective, suspected to be behind the MGM and Ceaser ransomware attacks, are more than capable of operating independently from the ransomware cartel.
“By taking down their operations and releasing the decryption key, the FBI has provided relief for numerous victims as well. However, the global game of whac-a-mole continues as there is no shortage of cybercriminals waiting in the midst to slide into the prime spot,” Pierson said.
Moreover, the seizure of ALPHV’s dark web infrastructure will undoubtedly impact the gang’s business but, at least for now, has not led to any arrests, allowing the gang to regroup. After all, ALPHV itself came out as a successful rebranding operation after now-defunct gangs BlackMatter and DarkSide reached their boiling point.
“We believe that ALPHV could experience a reduction in its affiliate network and rebrand itself with a new name,” Zdrok concluded.
More from Cybernews:
Subscribe to our newsletter