History tells us ALPHV will likely recover from recent takedown

With a recent law enforcement sting putting a serious dent in ALPHV operations, questions remain over how quickly the group will recover and return to plaguing organizations globally. 

This week, US authorities announced it had seized control of ALPHV’s dark web leak site in coordination with law enforcement agencies from a host of international partners, including the UK, Germany, and Australia.

The operation, hailed as a significant blow to the notorious ransomware group, enabled authorities to “gain visibility” into the gang’s computer networks and was followed by the release of a decryption tool for organizations impacted by its activities.

Lingering questions remain over the group’s ability to recover from the sting operation, however. And recent history shows that some cyber criminal outfits are more than capable of regrouping.

Qakbot, ranked among the most prolific botnets, was taken down earlier this year, again in a US-led operation. However, within weeks of the sting operation there were signs of recovery.

In October, researchers at Cisco Talos warned that Qakbot-affiliated hackers still remained a pervasive threat, with threat actors in fact waging a devastating ransomware campaign that began “just before the takedown”.

Just this week, research from Microsoft Threat Intelligence showed a new Qakbot phishing campaign has emerged. While this appears to still be in its infancy, the fact it has reemerged doesn’t paint a positive picture.

Three months was all it took for the botnet to get back on its feet.

This tit-for-tat process of police takedowns and eventual recovery has become a recurring trend in recent years. In 2020, an operation to take down Trickbot bore initial success but resulted in the eventual return of the infamous botnet.

The Europol-led Emotet takedown in 2021 also saw a similar outcome. Emotet not only re-established itself within the space of four months, but upon its return accelerated activities and plagued organizations globally with hundreds of thousands of daily attacks.

This begs the question as to whether authorities can ever truly cripple cyber criminal operations and paints a concerning picture for organizations potentially in the crosshairs; you can run, but you can’t hide.

ALPHV-style takedowns create breathing room

Despite these concerns, Steve Stone, head of Rubrik Zero Labs believes police takedowns still play a crucial role in denting cyber criminal operations. 

“While debate persists about whether such actions curb ransomware groups in the long term, these coordinated efforts produce invaluable impacts no single organization could achieve alone,” he said.

Takedowns typically require threat actors to rebuild from the ground up, which is a costly, time consuming process that will provide vital breathing room for both potential victims and law enforcement to refine their techniques.

“Takedowns force threat actors to reconstitute under new names and rebuild technical infrastructure from scratch - actions that divert significant time and resources away from criminal operations,” he added.

“Recent examples, like the months-long disruption of Qakbot, show how some groups struggle to restore operations after takedowns. While Qakbot ultimately returned, it took nearly three months to rebuild technical infrastructure and restore capabilities.”