Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Law Enforcement Reportedly Behind Takedown of BlackCat/Alphv Ransomware Website

The leak website of the notorious BlackCat/Alphv ransomware group has been offline for days and law enforcement is reportedly behind the takedown.

BlackCat ransomware

The official leak website of the notorious ransomware group known as BlackCat and Alphv has been offline for days and law enforcement is believed to be behind the takedown.

The Tor-based BlackCat/Alphv leak site has been inaccessible since December 7. Threat intelligence company RedSense reported the following day that the website was taken down by law enforcement.

In an update on Sunday, the company said, “RedSense Chief Research Officer Yelisey Bohuslavkiy confirms that the threat actors, including BlackCat’s affiliates and initial access brokers, are convinced that the shutdown was caused by a law enforcement action.”

“He specifies that other ransomware leadership from the top-tier groups directly related to AlphV also confirm this: specifically admins and team leads of Royal/BlackSuit, BlackBasta, LockBit, and Akira,” the company added.

RedSense also learned that the cybercriminals expect everything to be restored soon, which suggests that the impact on their operation and infrastructure was limited.

At the time of writing, the BlackCat website has been down for four days. SOC company ReliaQuest pointed out that the group’s site does have a history of connectivity issues and outages. However, this seems to be one of the longest — if not the longest — downtime.

No law enforcement agency appears to have released information about an operation targeting BlackCat. 

Following the shutdown of the Hive ransomware in January 2023, BlackCat said such a takedown effort would not work against its operation. 

Advertisement. Scroll to continue reading.

According to a recent year-in-review report from Cisco Talos, BlackCat was the second most active group this year, after LockBit. A BlackFog ransomware report for November shows that BlackCat was as active as LockBit last month. 

BlackCat, whose operators appear to be Russian speakers, emerged in late 2021 as a ransomware-as-a-service enterprise, offering up to 90% of ransom payments in an effort to attract affiliates. Many of the developers and money launderers for BlackCat are said to be linked to the now-defunct Darkside/BlackMatter ransomware.

ReliaQuest said the ransomware operation’s leak website listed more than 650 victims before it was shut down. Victims included major organizations such as Reddit, Western Digital, Swissport, MGM Resorts, and NCR

Related: BlackCat Ransomware Targets Industrial Companies

Related: US Announces IPStorm Botnet Takedown and Its Creator’s Guilty Plea

Related: Technical, Legal Action Taken to Prevent Abuse of Cobalt Strike, Microsoft Software

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.

Ransomware

Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.