ALPHV leak site seized by law enforcement as decryption tool released

US authorities have seized the ALPHV dark web leak site as part of an international operation to take down the infamous ransomware gang. 

The Department of Justice revealed the operation, which involved law enforcement agencies from the UK, Germany, Denmark, Spain, and Australia, seized “several websites” operated by the ransomware group.

The operation enabled law enforcement to “gain visibility” into the ransomware group’s computer network, the FBI added.

Authorities also confirmed the release of a decryption tool for those impacted by the threat group, which has already been used to support 500 affected organizations.

To date, the decryption tool has enabled victims to avoid paying ransom demands totaling around $68 million, the FBI said.

Deputy Attorney General Lisa O. Monaco said the law enforcement sting has severely disrupted ALPHV activities.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” she said.

“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cyber crime.”

Ryan McConechy, CTO of Barrier Networks described the takedown as a “huge win” for law enforcement and should serve as a warning to other threat groups currently operating around the world. 

“In the last year, BlackCat has been behind some of the biggest attacks in history, with its affiliates suspected to be behind the devastating attack on MGM Casinos,” he said. 

“Given the publicity this attack received and the money it costs MGM, it’s not all that surprising that law enforcement has targeted the gang. When cyber criminals carry out this level of destruction, they will always face repercussions.”

The takedown follows several days of speculation that the ransomware group had been impacted by a law enforcement sting. Last week, rumors of a takedown began circulating online after the group’s leak site went offline for an extended period.

Who are ALPHV/Blackcat?

ALPHV has emerged as one of the most prolific ransomware as a service groups in the world over the last 18 months. 

The group has targeted the computer networks of more than 1,000 victims worldwide, including networks that support US critical infrastructure.

A recent study from ZoneFox found the RaaS gang has ramped up attacks so far in 2023, and since January last year has been responsible for around 10% of all observed ransomware and digital extortion attacks globally.

The group uses a ransomware as a service model which relies on developers to create and update ransomware variants for use by threat actors. ALPHV then works with a range of affiliates to identify and attack victim organizations.

ALPHV has a reputation for employing what’s known as a ‘multiple extortion’ model, whereby attackers encrypt and exfiltrate a victim’s data, then demand a ransom to ensure the safe return of said data.

If victim’s refuse to engage with the group, their stolen data is often published on its dark web leak site.