ALPHV ransomware site outage rumored to be caused by law enforcement

A law enforcement operation is rumored to be behind an outage affecting ALPHV ransomware gang's websites over the last 30 hours.

The ALPHV (aka BlackCat) negotiation and data leak sites suddenly became unavailable yesterday and continue to remain down today.

BleepingComputer has also confirmed that unique Tor negotiation URLs shared with victims in ransom notes are also down, indicating a disruption to the ransomware gang's public-facing infrastructure and a halt to ongoing negotiations.

ALPHV data leak site not operational
Source: BleepingComputer

When questioned yesterday about the disruption, the Admin for ALPHV told BleepingComputer that the sites may be back online soon.

That was 20 hours ago, and the sites continue to remain down at this time.

The Tox status for the Admin claims that the operation is repairing their servers but they have not answered questions about what happened.

Admin showing "Repair" as their Tox status
Source: BleepingComputer

However, BleepingComputer suspects that the ransomware gang may have suffered potential law enforcement action after their recent activities, which was also hinted at by others.

"Hearing wild (and strong) rumours that ALPHV/Blackcat has been paid a visit by the FBI," reads a tweet by someone named Evangelos G.

While it has not been confirmed whether the FBI or any other law enforcement agency breached ALPHV's servers, similar law enforcement operations have occurred in the past.

For example, when the FBI breached REvil's servers, they obtained the decryption keys for the victims of the Kaseya ransomware attack.

Similarly, the FBI hacked Hive's infrastructure, secretly obtaining decryption keys and disseminating them to victims.

BleepingComputer contacted the FBI about the ALPHV website disruption, but a reply was not immediately available.

A rebrand in the making

The ALPHV/BlackCat ransomware operation is believed to be a rebrand of the DarkSide gang. The operation launched in 2020 and quickly rose to prominence over the next year.

However, after attacking the Colonial Pipeline, the ransomware gang faced intense scrutiny by the US government and international law enforcement, ultimately leading to the seizure of their infrastructure and the operation shutting down.

Only a few months later, the ransomware gang returned, this time under the name BlackMatter. However, the managers of this operation claimed in an interview that they were affiliates of the DarkSide operation and not the original leaders.

Only a short four months later, BlackMatter shut down its operation in November 2021 after claiming to be under pressure from law enforcement.

In February 2022, the ransomware gang returned again, this time under the name ALPHV, also known as BlackCat, for an image used on their Tor negotiation sites.

While this rebrand started out like most ransomware gangs, targeting companies in extortion attacks worldwide, they have expanded their operations by partnering with English-speaking affiliates and targeting critical infrastructure, such as hospitals and water suppliers.

Due to this, it was only a matter of time until they again felt the scrutiny of law enforcement, whether it be this disruption or a future one.