The dark web site for the notorious ransomware gang Blackcat, more commonly known as ALPHV, has been seized by an international group of law enforcement agencies.
The site’s homepage was replaced with an announcement from the FBI on Tuesday indicating that it had been the subject of “a coordinated law enforcement action.”
“The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against ALPHV Blackcat Ransomware,” the message said.
The takedown comes after the group filed an SEC complaint that a company wasn’t reporting a breach in a timely manner.
ALPHV hacked the software company MeridianLink and threatened to make its data public. It also announced it alerted the SEC to the breach, claiming MeridianLink violated new rules that require publicly traded companies to report cyberattacks within four days.
Led by the FBI Miami Field Office, the takedown included assistance from countries such as Australia, Denmark, Germany, Switzerland, and the U.K.
What is ALPHAV?
In a press release on the seizure, the U.S. Department of Justice (DOJ) described ALPHV as “the second most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims…”
ALPHV was linked to the attack on multiple casinos earlier this year that saw Las Vegas temporarily crippled. The group has also brazenly targeted critical infrastructure in the U.S. as well as healthcare facilities.
It was behind a number of attacks on plastic surgery clinics in Beverly Hills as well.
The press release also revealed that the FBI was able to develop a decryption tool that helped unlock the files of more than 500 of ALPHV’s victims.
“To date, the FBI has worked with dozens of victims in the United States and internationally to implement this solution, saving multiple victims from ransom demands totaling approximately $68 million,” the press release added. “As detailed in a search warrant unsealed today in the Southern District of Florida, the FBI has also gained visibility into the Blackcat ransomware group’s computer network as part of the investigation and has seized several websites that the group operated.”
The takedown came after ALPHV’s website was temporarily inaccessible for more than a week, leading to widespread speculation that law enforcement might be to blame.
And while the takedown and decryption tool will undoubtedly have an effect, ALPHV’s core team, suspected of being from Russia, are claiming to be unfazed.
In remarks to vx-underground, a malware sample hosting service, ALPHV claimed that the seized site was outdated and that a new site had already been launched.
As has been seen in the past, ransomware groups targeted by law enforcement often rebrand and continue their operations under a new name.
The DOJ noted, however, that the investigation into ALPHV did include an undercover informant. And with investigations into the group ongoing across the globe, it’s likely the pressure on ALPHV will remain.