Ransomware gang ALPHV/BlackCat said Tuesday it was expanding the range of victims its network of affiliates could target to now include nuclear power plants, hospitals and critical infrastructure. The move is a high-profile escalation of the ransomware as a service (RaaS) criminal syndicate as it appears to be reacting to recent FBI enforcement activity.The statement by ALPHV/BlackCat was posted to its leak site that had been offline since December 7, when it is believed to have been shuttered by law enforcement. On Tuesday, ALPHV/BlackCat's previously shuttered site briefly displayed an FBI seizure notice. Within hours, however, the site then displayed a note by the ransomware group claiming the site had been "unseized."In a 233-word statement, written in the Russian language (and translated here using Google Translate), the threat actors stated, "Because of their actions, we are introducing new rules, or rather, we are removing ALL rules, except one, you cannot touch the CIS (critical infrastructure sectors), you can now block hospitals, nuclear power plants, anything, anywhere."Researchers believe this statement gives affiliates of one of the largest RaaS gangs the green light to attack any target.Actions by the RaaS group were likely sparked by a Tuesday press release by the FBI announcing it had seized several websites that ALPHV/BlackCat operated. The FBI also stated that it had developed a decryption tool to assist ALPHV/BlackCat victims in recovering data.The FBI declined to comment in response to SC Media’s inquiries regarding the matter.The message states that the FBI gained access to one of ALPHV/BlackCat’s domain controllers but alleges all its other domain controllers were not accessed. The statement goes on to claim the FBI only has keys related to 400 victim companies from the last month and says more than 3,000 additional victims will not receive keys because of the law enforcement action.
Fighting the scourge of ransomware
Cybersecurity experts who spoke with SC Media said the threats alluding to an expansion of targets by ALPHV/BlackCat should be taken seriously.“The removal of restrictions on affiliates is an interesting threat, but it underscores the reality of this genre of crime,” said John Bambenek, president of Bambenek Consulting. “Arrests and prosecutions are essentially non-existent as the bulk of these individuals live in places that don’t cooperate with Western law enforcement and these threat actors know it.”The incident underscores the escalating struggles by federal law enforcement agencies to clamp down on the criminal activity of ransomware gangs.Feds reveal anti-ALPHV/BlackCat tactics
As part of the FBI investigation, the U.S. Department of Justice unsealed a warrant Tuesday that revealed how the FBI engaged a “confidential human source” to infiltrate deep web control panels used by ALPHV/BlackCat and its affiliates to coordinate and manage ransomware attacks. Through its investigation, the agency obtained 946 public/private key pairs for Tor sites ALPHV/BlackCat used to communicate with victims, leak stolen data and host affiliate panels, the warrant states.The announcement also revealed that the FBI developed a decryption tool that can be used to recover the encrypted files of ALPHV/BlackCat ransomware victims. The agency said it is offering this tool to more than 500 affected victims and has already used the solution to save multiple victims from ransom demands totaling approximately $68 million.“The ability for the FBI to do this undermines the credibility/capability of cyber-criminal organizations and bolsters the FBI’s pleas for victims to report potential compromises as soon as possible,” Michael McPherson, a former FBI agent and current senior vice president of technical operations at ReliaQuest, told SC Media.ALPHV/BlackCat leak site seized
Speculation that the gang had been targeted by law enforcement arose over the last two weeks due to reports that the main leak site suddenly went offline. Malware sharing group VX-Underground posted on X on Dec. 10 stating ALPHV told it the outage was due to a “hardware failure.”The FBI's press release states the FBI “has seized several websites that the group operated.” BleepingComputer reported that the FBI confirmed the earlier outage was due to a law enforcement operation. The website Hackread reported that a blog used by ALPHV/BlackCat to advertise its cyberattacks was still online.“There is no indication that [authorities have] captured or detained any of the threat actors themselves,” noted BullWall Executive Vice President Steve Hahn in a comment to SC Media. “If this is the case, what they shut down was nothing more than a website and some servers. The threat actor group remains at large and it will be nothing more than a temporary setback until they prop up new infrastructure.”More on ALPHV/BlackCat's claims
VX-Underground was among the first to share screenshots of the “unseized” ALPHV/BlackCat site on X, accompanied by a translation of the Russian-language message posted on the site.ALPHV has ... unseized their domain?
— vx-underground (@vxunderground) December 19, 2023
They claim the FBI compromised one of their domain controllers. Additionally, they state they are removing all rules from their affiliate program (omit the rule on targetting the CIS) - allowing affiliates to target critical infrastructure pic.twitter.com/ZoRvDVZn5k




