Law Enforcement Action May Have Caused BlackCat/ALPHV Website Outage

Reports indicate that law enforcement may be the cause of a website outage impacting the notorious BalckCat/ALPHV ransomware gang’s leaks site last week.

‍

“BleepingComputer has also confirmed that unique Tor negotiation URLs shared with victims in ransom notes are also down, indicating a disruption to the ransomware gang's public-facing infrastructure and a halt to ongoing negotiations,” BleepingComputer reports.

‍

“The Tox status for the Admin claims that the operation is repairing their servers but they have not answered questions about what happened. However, BleepingComputer suspects that the ransomware gang may have suffered potential law enforcement action after their recent activities, which was also hinted at by others.”

‍

BleepingComputer says they have not been able to confirm whether the law enforcement compromised the BlackCat/ALPHV website and said spokespersons declined to comment on the situation.

‍

‍Takeaway: BlackCat/ALPHV was first observed in late 2021 and maintains a well-developed RaaS platform that encrypts by way of an AES algorithm. The code is highly customizable and includes JSON configurations for affiliate customization.  

‍

BlackCat/ALPHV is adept at disabling security tools and evading analysis and is likely the most advanced ransomware family in the wild. BlackCat/ALPHV is capable of employing multiple encryption routines, displays advanced self-propagation, and hinders hypervisors for obfuscations and anti-analysis. BlackCat/ALPHV can impact systems running Windows, VMWare ESXi and Linux including Debian, ReadyNAS, Ubuntu, and Synology distributions.

‍

BlackCat/ALPHV was the first ransomware developers to employ Rust, a secure programming language that offers exceptional performance for concurrent processing.

‍

BlackCat/ALPHV deletes all Volume Shadow Copies using the vssadmin.exe utility and wmic to thwart rollback attempts and attains privilege escalation by leveraging the CMSTPLUA COM interface and bypasses User Account Control (UAC).

‍

BlackCat/ALPHV also employs a custom tool called Exmatter for data exfiltration and released a new ransomware payload called Sphynx in August with improved security evasion capabilities to encrypt Azure cloud storage deployments.  

‍

BlackCat/ALPHV became one of the more active RaaS platforms over the course of 2022, and attack volume in 2023 continue at a steady pace. They typically demand ransoms in the $400,000 to $3 million range but have exceeded $5 million.  

‍

BlackCat/ALPHV has a wide variability in targeting, but most often focuses on the healthcare, pharmaceutical, financial, manufacturing, legal and professional services industries. Notable victims MGM Resorts and Casinos, PWC, Ernst & Young, and Sony, Republic Steel, Coca Cola, Constellation Software, Ring, and Five Guys Restaurants.

‍

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.