Ever since Darkside crossed the line in 2021 with attacks on critical infrastructure that caused widespread real-world problems, international law enforcement operations have been targeting and taking down the biggest ransomware gangs one by one. The only problem is that this mostly consists of asset seizures, which leaves the operators free to flee and regroup under a different name.
That same story appears to be playing out with BlackCat/ALPHV, the group that helped Scattered Spider deliver ransomware during its 2022 breaches of Caesars Entertainment and MGM (among many other incidents). The group is itself thought to be made up of refugees from ransomware gangs scattered by previous law enforcement operations, and the situation appears to once again be one of asset seizures without arrests.
Law enforcement operation strikes a blow, but operators still in action
The law enforcement operation did not announce any arrests; that usually means, at minimum, the ransomware gang can be expected to break up and regroup in some weeks or months under a new name. But BlackCat has been defiant thus far, appearing to retake its public-facing Tor sites and swearing to unleash a new campaign of attacks that will include critical infrastructure and hospitals.
An affiliate that agreed to turn against the ransomware gang appears to have been the key to this present law enforcement operation. That likely signals a big incoming drop in business for BlackCat, something supported by the group’s recent slashing of the percentage it takes from attacks. Other major groups, such as LockBit, are already openly advertising to attract business and talent away from their rival.
Whether or not BlackCat ultimately folds, this is most likely not the end of the people behind the threat. Some of them are thought to have started out with Darkside, then jumped ship to BlackMatter, then reformed as BlackCat/ALPHV after other law enforcement operations. Ransomware gang members often reappear on underground marketplaces or forums as little as several weeks after these groups disband. The key to all of this is safe haven in countries such as Russia, where they are extremely unlikely to be extradited or pursued by local law enforcement.
Ransomware gang’s recovery hinges entirely on affiliate loyalty
BlackCat has made big promises of vengeance after the December seizure of its Tor site, but carrying them out will require its affiliates to stick around. In the meantime, the group seems to be in a running battle with the DOJ for control of its public presence. It has apparently used a signing key to move the site to a new server, but possession appears to have gone back and forth between them and the DOJ at times.
The law enforcement operation was not only successful in scaring off at least some affiliates, but also provided a free encryption key that is thought to have helped at least a few hundred of the ransomware gang’s victims. But with reports indicating that the group has pulled in at least $300 million over the past two years, the operators may not be in a big hurry to abandon their brand name and remaining infrastructure.