UPDATED 16:17 EST / DECEMBER 20 2023

SECURITY

ALPHV claims to reactivate ransomware data leak website after FBI-led takedown

ALPHV, one of the most active ransomware-as-a-service gangs in the world, on Tuesday claimed to have regained control of a malicious website that the FBI took down earlier that day.

ALPHV sells ransomware that other hacking groups use to launch cyberattacks. According to the FBI, those cyberattacks have incurred hundreds of millions of dollars in costs for more than 1,000 organizations. The victims included, among others, emergency services, schools and mission-critical manufacturers.

After encrypting an organization’s records using ALPHV ransomware, hackers threaten to keep them unreadable unless a ransom is paid. If the victim refuses to make the payment, the data is also publicly released on a dark web leak website. On Tuesday, the FBI and other law enforcement agencies from a half-dozen countries seized the data leak website. 

Reports that the website was shut down reportedly first emerged on Dec. 7. At first, ALPHV claimed that the downtime was the result of a hardware failure. The FBI confirmed that that it took down the website on Tuesday. 

Shortly after the agency’s announcement, ALPHV briefly retook control of the website. The hackers reportedly didn’t recover the underlying infrastructure, but rather only the domain name. They then pointed the domain name to different website than the one the FBI and its law enforcement partners had seized. 

The FBI quickly regained access to the domain, at which point a back-and-forth ensued between the agency and the hackers. ALPHV later set up a new website under a different domain. According to SecurityWeek, that website currently lists six ransomware victims. 

ALPHV’s data leak website is one of several associated with the group that were taken down by authorities. Additionally, the FBI released a tool that allows ALPHV victims to decrypt information scrambled by the hacking group’s ransomware. The agency estimates that the tool saved more than 500 organizations about $68 million in ransom payments.

ALPHV attempted to downplay the impact of the FBI’s operation in a Russian-language announcement. The ransomware gang claims that the decryption tool released by the agency can only unlock files scrambled in the past month and a half. According to the announcement, more than 3,000 organizations will be unable to decrypt their data. 

ALPHV also changed its usage terms for the hacking groups that exploit its ransomware to carry out cyberattacks. Those hacking groups now have permission to target more types of organizations including nuclear power plants and hospitals. They will receive an increased 90% share of the illicit profits they generate from ransom payments. 

Some observers have speculated that ALPHV may relaunch under a new name in the wake of the FBI’s operation. The ransomware gang has done so at least twice in recent years. “We have seen other groups bounce back from similar interventions, either by quickly diversifying their activities, or by partnering with other groups,” Matt Hull, the global head of strategic threat intelligence at cybersecurity consulting company NCC Group PLC, told SiliconANGLE.

ALPHV originally emerged in August 2020 under the name DarkSide and launched a high-profile ransomware attack against Colonial Pipeline Co. The ransomware gang shut about a year later in a move that some speculated was motivated by pressure from law enforcement agencies. DarkSide resumed operations as BlackMatter in November 2021 and later changed its name to ALPHV. 

Image: Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU