The FBI continues to take action against the APT group ALPHV alias BlackCat. The FBI briefly blocked the group's leak page on the dark web. Now it's open again and ALPHV announces in Russian that 3.000 companies will never receive the keys to their ransomware.
There has never been a more open exchange of blows between the FBI and an APT group. The FBI published a statement saying that it had taken over various ALPHV servers and was now making a decryption tool available to 500 victims. “By dismantling the BlackCat ransomware group, the Department of Justice has hacked the hackers again,” said Assistant Attorney General Lisa O. Monaco.
🔎 The ALPHV leak page on the darknet was first confiscated by the FBI (Image: B2B-C-S).
“With a decryption tool that the FBI made available to hundreds of ransomware victims worldwide, businesses and schools were able to reopen and health and emergency services were able to come back online. We will continue to prioritize disruption and put victims at the heart of our strategy to disrupt the ecosystem that fuels cybercrime.”
ALPHV counters this with threats
On the Darknet, the FBI had marked the leak page with a note saying that the page had been “seized”. Just a few hours later, ALPHV had the upper hand on the site again and “hijacked” the site again. Apparently the FBI and APLHV have the necessary access keys for the site and cannot block each other.
🔎 But ALPHV was able to reactivate the leak page and, in its own words, “confiscated” it (Image: B2B-C-S).
On the unblocked page, ALPHV provides the address for a new leak site that the FBI would not have access to. The group also blatantly threatens in Russian that they now know how the FBI used to gain access. The declaration of war continues: “The maximum they (editor’s note “the FBI”) have are the keys from the last month and a half, that’s about 400 companies, but now more than 3.000 companies will never receive their keys.” The threat continues: “Because of your actions, we are introducing new rules, or rather, we are removing ALL rules…. Thank you for your experience, we will consider our mistakes and work even harder, we are waiting for your whining in chats and requests for discounts that no longer exist.”.
New leak site is online – but only 6 victims
The new leak page is now online, but it currently only shows 6 new victims of the ransomware group. The extent to which the entire ALPHV ecosystem was destroyed by the FBI is still unclear. But the FBI has already proven several times that it is not a toothless tiger. That's what happened dismantling the Ragnar Locker ransomware gangwhich QBot or Qakbot network dissolved or last HIVE members arrested.
More at Justice.gov