Despite law enforcement efforts to take-down the notorious ALPHV/BlackCat ransomware gang the threat actors are not going down without a fight.
Latest developments have shown that the site that was supposedly 'taken down' by the FBI has now been 'unseized.
The US Department of Justice announced a technical operation against BlackCat on December 19, this was accompanied by a notice on the groups website stating its seizure by the FBI. However, some hours later, the group responded with its own notice on the original main leak site.
West explained that in theory two entities can hold the same private key by accident if hostnames clash, but the chances of this are mathematically remote, and both the FBI warrant and BlackCat's commentary alludes to the employment of an insider.
Secureworks noted that on December 13, the group published the first victim to its new leak site.
As of December 19, five victims were posted to the new site, demonstrating the group retained some operational capacity.
The notice BlackCat posted on the original main leak site was accompanied by a link to a new blog site and a Russian-language announcement that acknowledged the FBI's action and threatened retribution.
In a translation of the message the ransomware gang stated that because of the actions of law enforcement 'new rules' were being introduced which allows for ALPHV affiliates to target critical infrastructure including hospitals and nuclear power plants.
Mitchell concurred with this sentiment, stating that the group has a documented history of attacking healthcare and energy infrastructure targets already.
The ransomware gang has also moved to cut the cost of working with them and has banned discounts to companies it has exploited - payment is strictly the amount indicated by the criminals.
It is notable that, at the time of writing, there is no evidence of arrests being made relating to members of the group.
Mitchell said this means the long-term effects of the disruption activity might be limited.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Wed, 20 Dec 2023 13:00:27 +0000