Lessons from the BlackCat/ALPHV Takedown

By Bill Bernard, VP, Security & Content Strategy & Neal Humphrey, VP, Market Strategy

Estimated Reading Time: 4 minutes

Threat actors behind BlackCat/ALPHV got some unwanted press this week – the FBI has managed to both interrupt their dark web presence but also has provided a free, effective decryptor for anyone who has been struck by their ransomware. Depending on the time of day, the BlackCat site has shown either the FBI takedown notice or some retaliatory threats by the BlackCat group. What can we take out of the back and forth so far today?

  • The FBI definitely got their attention and published a decryption tool that can positively impact up to 500 companies/entities – entities that now have less reason to pay a ransom.
  • BlackCat is claiming that due to the seizure of the blog sites and other infrastructure, 3000 companies/entities will now not receive their decryption keys after they pay.
  • Looks like an ownership fight today on a specific leak site as both the FBI and BlackCat have copies of the private keys for publishing to the site. Until one side or the other updates those keys the back-and-forth will likely continue. Either way, the site is not usable by BlackCat at this time.
  • BlackCat is threatening repercussions on the actions of the FBI by now allowing their “affiliates” (those using their service) to attack critical infrastructure across the globe, outside of the geography they consider off limits, generally nations that they feel will protect them from international police efforts.

The best thing to take away from this is that the FBI is being proactive and pushing back against these organizations. They are attempting to be more proactive in dealing with what is an international issue. There have long been talks about bounty-based white hat activity, admiralty court-style organization, and “privateering”. This certainly is not the beginning of that scenario, but any successful interruption is never a bad thing on its own.

A question or concern that has been raised is on the loosening of targets as a “lesson” from the BlackCat group’s message. We do know that there are rules to the game, and that these organizations do attempt to abide by some business ethics, or else they would never get payments. We must remember that they are running businesses, albeit criminal ones. Attacks on critical infrastructure may cause damage that could limit their opportunities to extract payment. It causes greater scrutiny from law enforcement. It can also cause larger geo-political issues at government-to-government levels.

From a current CISO perspective, today’s dust-up really should drive home the need to review your business and operational risks and look over that malware/ransomware response and recovery playbook you have beside the desk. What is the rebuild plan in case of a critical successful attack? Especially if your plan was to pay ransom as quickly as possible–3000 companies won’t be getting their keys now. Payment may no longer be an option. Cyber resilience starts in the business and in the security program.

Is This The End of BlackCat?

It’s important to note this event just happened. There is a good chance threat actors/affiliates will migrate to other ransomware-as-a-service vendors. There is also a good chance, based on current chatter, that BlackCat has already moved to other infrastructure and has not been mortally impacted. 

Consider the takedown of CLOP. In June of this year, Ukrainian officials claimed to have taken down the CLOP ransomware gang’s infrastructure. In July, however, CLOP began posting data stolen from the MOVEit vulnerability. Exploiting this zero-day allowed threat actors to steal data from almost 600 organizations worldwide. With that one zero-day vulnerability in MOVEit file transfer software, CLOP accounted for 13% of all ransomware victims in Q3. CLOP’s exploitation of a critical zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer is the third such effort ascribed to CLOP targeting file transfer systems during the first half of 2023. They included the GoAnywhere attacks in February and the PaperCut attacks in April.

A significant percentage of victims, with best estimates being between 27% – 41%, quickly pay threat actors’ demands and thus are never observed on a leak site. That means that the total number of ransomware victims might range somewhere between ~5,500 – 7,000 total businesses in 2023. -Corvus Insurers, 2023

If you need help with response, recovery, and resilience planning for your security program, discover how Deepwatch threat management capabilities help you withstand, recover, and adapt to threats like ransomware.

In a recent Deepwatch webinar, we spoke with famous hacker and cybersecurity professional Marcus Hutchins, who single-handedly thwarted the 2017 WannaCry attack that infected over 300,000 victims worldwide. Watch it on demand as we discuss the evolution of ransomware including double-distortion and ransomware-as-a-service—and the need for human-led cybersecurity efforts to improve your resilience to ransomware.


Bill Bernard, VP, Security & Content Strategy

Bill Bernard is a seasoned security expert with 20+ years of experience collaborating with customers to select and deploy the right security solutions for their business. Bill has held various solutions architecture roles throughout his career and holds a variety of security certifications including CISSP, CIPP-E and CIPM.

Read Posts

Neal Humphrey, VP, Market Strategy

Throughout his 20 year career in the security industry Neal has held a variety of roles including Principal Security Engineer at SourceFire, Technical Solutions Architect for Cisco, and as a Director of Threat Intelligence Engineers at ThreatQuotient. Neal has worked with small to medium sized businesses as well as enterprise level organizations to help their security teams identify and solve Cyber Security Operation challenges, as well as help them understand and mature Security Architectures and processes.

Read Posts


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog