On December 19, 2023, the FBI confirmed they hacked into the BlackCat/ALPHV ransomware gang, which had received $300 million from over 1,000 victims. Law enforcement obtained decryption and Tor private keys and decrypted files for 400 victims.
The group’s reputation has suffered damage, prompting them to seek new strategies and approaches.
Stay One Step Ahead of Cyber Threats
ALPHV Reacts to Law Enforcement Actions
Before the gang’s infrastructure was officially seized, the BlackCat/ALPHV ransomware operation experienced a five-day disruption of their Tor data leak and negotiation sites, which is suspected to be due to law enforcement action.
The ransomware gang stated that the FBI accessed their decryption keys for only the last month and a half, and in response, they lifted all targeting restrictions for their affiliates, including targeting critical infrastructure.
Additionally, the gang has raised the affiliates’ revenue share to 90% of any paid ransom, presumably to deter them from joining rival ransomware-as-a-service operations (RaaS).
LockBit’s Strategic Recruitment
During the disruption of BlackCat/ALPHV, LockBit, another notable ransomware group, began to capitalize on this situation to broaden its network. The leader of LockBit initiated a campaign to recruit affiliates from the struggling BlackCat operation, as seen in posts on the XSS hacking forum.
LockBit’s leader has initiated a recruitment drive, targeting affiliates from the troubled BlackCat operation, as seen in posts on the XSS hacking forum.
LockBitSupp, representing LockBit, was offering these affiliates the use of their data leak site and negotiation panel for continuing extortion activities, provided they had backups of stolen data.
They are also seeking to recruit the coder behind the ALPHV encryptor.
This situation mirrors a previous shift when, after BlackMatter’s shutdown in November 2021, many affiliates moved to LockBit, marking another strategic opportunity for LockBit to strengthen its network with new affiliates.
LockBit invites Alphv programmers to collaborate to get their source code. https://t.co/b7HTjXWRYo pic.twitter.com/77B54stePb
— 3xp0rt (@3xp0rtblog) December 19, 2023
Strategic Choices for ALPHV: Rebrand or Join Forces with LockBit
However, following the FBI’s announcement about the seizure of ALPHV’s website, there has been speculation about a possible collaboration between ALPHV and LockBit.
Their leaders showed mutual respect in communications on the hacking forum and discussed forming a new ransomware cartel.
In the true spirit of Christmas, leadership from ALPHV and Lockbit show each other respect and discuss joining forces and creating the ALPHV/Lockbit ransomware cartel
— vx-underground (@vxunderground) December 21, 2023
Information via @3xp0rtblog pic.twitter.com/Qf9KnmorFo
We believe that two scenarios seem plausible at the current moment.
The first is that ALPHV may experience a rebranding and operational overhaul, similar to their approach post-BlackMatter shutdown.
BlackCat/ALPHV emerged over two years ago, around November 2021, and is believed to be a rebranded version of the infamous DarkSide and BlackMatter ransomware operations.
In this scenario, they risk losing affiliates and might need to offer significant bonuses to retain them.
Another possibility is a strategic alliance where ALPHV and LockBit pool their resources and expertise, potentially operating under the well-established LockBit brand, thereby creating a more powerful and coordinated ransomware entity.
If LockBit emerges with ALPHV, the risks for companies could escalate significantly.
The combined expertise and resources of these groups may lead to more sophisticated and harder-to-detect ransomware attacks.
This could result in a higher success rate for the hackers, putting a broader range of targets at risk, including larger corporations and critical infrastructure.
Also, a unified front under the LockBit brand might lead to a more aggressive and widespread ransomware campaign.
This would not only pose a greater security challenge for organizations but also potentially lead to higher ransom demands, making it more costly and difficult for victims to recover from such attacks.
Summary
In a significant cybersecurity development this week, the FBI successfully hacked into the BlackCat/ALPHV ransomware gang and obtained their decryption keys.
This follows a prior disruption of BlackCat/ALPHV’s operations, leading them to lift restrictions on targeting and increase affiliate revenue shares, possibly as a countermeasure against losing members to rivals.
Concurrently, LockBit is leveraging this situation to recruit BlackCat’s affiliates, indicating a possible shift in the ransomware landscape.
The potential collaboration between ALPHV and LockBit, if realized, could significantly boost the threat landscape, with more sophisticated attacks targeting a wider range of sectors and posing greater challenges in terms of security and recovery for victims.
ALPHV/BlackCat: The Most Sophisticated Ransomware? (Video)
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
