Part of the reason for law enforcement's delay in attempting to take down Alphv's infrastructure may have been an ongoing investigation into the actors behind the group.
The takedown effort involved collaboration and parallel investigations from multiple law enforcement agencies, including those in the United Kingdom, Australia, Germany, Spain, and Denmark.
The US Justice Department said Tuesday that a decryptor tool for the Alphv ransomware that was developed by the FBI has already helped more than 500 victims recover from attacks and avoid paying roughly $68 million in ransoms.
As ransomware groups rely more on a hybrid model in which much of their leverage for extortion comes from the threat that they will leak data stolen from victims, decryptors are only one of many tools needed to help victims avoid paying ransoms.
Alphv's attempt on Tuesday afternoon to let its customers use its ransomware for attacks on vital services like hospitals and nuclear plants made the existence of the decryptor more significant in how dangerous and disruptive that activity might be.
Since both the cybercriminals and law enforcement had access to the login keys, it's possible that multiple sites were registered to the same Tor address or Alphv was able to add another registration and then point the site to servers that law enforcement did not control.
In the same way law enforcement's presumably deep access to the gang's infrastructure is likely what allowed it to re-take the site.
The US Justice Department noted Tuesday morning that people with information about Alphv/Blackcat and its affiliates should come forward and may still be may be eligible for a reward through the US State Department.
Updated 12/19/23, 2:55 pm ET to reflect that law enforcement reestablished its control of Alphv's dark web leak site.
This Cyber News was published on www.wired.com. Publication date: Tue, 19 Dec 2023 20:43:05 +0000