Those Darn BlackCats

12336358859?profile=RESIZE_400xBlackCat/ALPHV ransomware leaders claim they have restarted operations on the group's primary blog, despite the Department of Justice claim that it gained control of the site. Further, in retaliation for the law enforcement actions against the gang, they announced they have dropped a previous ban on cyberattacks against critical infrastructure.  BlackCat also claimed that, beyond "Unseizing" the sites, the decryption key being offered by the FBI is outdated and from an older blog, according to a reading of the group's message from 19 December 2023 by researchers.

See:  https://redskyalliance.org/xindustry/octo-tempest-alphv-black-cat-ransomware

It is a bold claim, but experts have their doubts about BlackCat's ability to mount such a quick comeback.  The data and server have indeed been seized by the FBI, and there are no takebacks, Steve Stone from Rubrik Zero Labs explains. Stone tells Dark Reading the idea of "Seizing" and "Unseizing" the site is being widely misunderstood in the public discourse.  "Put simply, the FBI and other law enforcement organizations have successfully seized control of a data repository and also took control of/took down the ALPHV site they used to run their Ransomware-as-a-Service (RaaS) operations," Stone says. "ALPHV has responded by spinning up a new server and applying their security key, which makes this the new site."

Next, the FBI will revert the new site to the old one already in their control, and the cycle continues, he predicts.  "The FBI then works to revert it to the original/seized one," Stone says. "Then ALPHV does it again, as we saw yesterday."  Meanwhile, the threat of fresh cyberattacks on critical infrastructure as a result of BlackCat's lifting of restrictions for its affiliates is very real, cybersecurity insiders warn.[1]

Given ALPHV's new stance, there is a real possibility of an increase in cyberattacks on critical infrastructure.  Organizations operating critical infrastructure should be on heightened alert, as these developments could re-awaken a dormant phase in cybercriminal tactics where CI is fair play.  Ransomware is a lucrative business and BlackCat is not likely to give it up without a fight.

Although this group's operations are degraded, they might act out of desperation to maintain their image as a safe system for hackers to leverage for their criminal activities.  In a short period of time they have been able to extort over US$300 million to fund these types of operations, something they will fight for at the expense of our society's safety and peace.

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Call for assistance.  For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com   

Weekly Cyber Intelligence Briefings:

Reporting: https://www.redskyalliance.org/

Website: https://www.redskyalliance.com/

LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632

[1] https://www.darkreading.com/cybersecurity-operations/blackcat-unseizes-sites-fbi-revenge-attacks

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!