International Law Enforcement Coordinates Takedown of Ransomware Gang Alphv’s Infrastructure
Alphv had experienced disruptions to its dark-web communication and leak site, with the FBI claiming seizure as part of a coordinated law enforcement action. In a surprising turn, the gang briefly restored the site, declaring it “unseized,” before law enforcement regained control. Alphv, the second most prolific ransomware-as-a-service variant globally, targeted over 1,000 victims, including critical US infrastructure, over the past 18 months, amassing hundreds of millions in ransom payments.
The gang escalated its audacity by filing a complaint against digital lender MeridianLink and, in response to the law enforcement action, removed targeting rules for criminal customers seeking to attack critical infrastructure using their ransomware. While the takedown aimed to deal a significant blow, it lacked sanctions or indictments. Alphv’s disruptive attacks targeted companies like MGM Resorts and extorted massive payments, such as $15 million from Caesars Entertainment, reaching sectors like healthcare, defense, education, manufacturing, and government.
Despite the intervention, concerns persist about dealing with cybercriminal actors like Alphv, especially those seemingly based in Russia. Analysts noted that law enforcement’s delayed response may have been due to an ongoing investigation into the group’s actors. The takedown involved collaboration with law enforcement agencies from the US, UK, Australia, Germany, Spain, and Denmark. The FBI developed a decryptor tool, assisting over 500 victims in recovering from attacks and avoiding approximately $68 million in ransom payments. Alphv’s shift towards allowing attacks on critical infrastructure raises concerns, emphasizing the importance of decryptors as a tool in the ongoing battle against ransomware groups utilizing a hybrid model. The existence of the decryptor becomes more significant as the threat of leaking stolen data for extortion continues to pose risks to national security.
Law enforcement obtained login credentials through a confidential human source, although the method behind Alphv’s temporary site restoration remains unclear.