Note

This trend report on the deep web and dark web of December 2023 is sectioned into Ransomware, Forums & Black Markets, and Threat Actors. We would like to state beforehand that some of the content has yet to be confirmed to be true.

 

Major Issues

1)  Ransomware

 

(1) ALPHV(BlackCat)

The ALPHV (BlackCat) ransomware gang’s dedicated leak site (DLS) was taken down by law enforcement authorities. The US Department of Justice announced that the DLS had been taken down by the joint operation of law enforcement agencies from the US, Europol, Denmark, Germany, the UK, Netherlands, Australia, Spain, and Austria.

 

Figure 1. MeridianLink listed as a victim on the ALPHV (BlackCat) ransomware gang’s DLS

 

Additionally, the FBI had developed a decryption tool allowing all FBI field offices in the US and law enforcement agencies all around the world a chance to decrypt files belonging to victims of more than 500 cases. This solution was made possible through the cooperation of dozens of victims in the US and around the world, which saved many victims from paying 68 million dollars in ransom. The FBI had help from a Confidential Human Source (CHS) to sign up to become an affiliate of the ALPHB group. The CHS obtained the login credentials for the backend panel from the RaaS operator before carrying out the operation.[1]

Before the official report above, rumors that the BlackCat ransomware gang’s DLS was shut down by law enforcement authorities began circulating first. The DLS was unavailable since the night of December 7 (UTC+9), and since December 13 (UTC+9), the DLS could be accessed, with only an empty page void of all victim lists. Afterward, the gang regained control of the DLS as shown below. Currently, the DLS redirects to a new onion address of the BlackCat ransomware gang.

 

Figure 2. BlackCat ransomware gang redeemed control of its seized DLS – <Source: bleepingcomputer.com> 

 

This means that the BlackCat ransomware gang has regained control of the DLS, and according to their statement in Russian, they have changed the rules to now allow their affiliates to attack all infrastructures including previously banned hospitals and nuclear power plants. Also, the ransom’s distribution was adjusted to 90% so that the affiliates take more of the profits. This appears to be an attempt to prevent affiliates and initial access brokers (IAB) from leaving the gang, as some security researchers are predicting that affiliates and initial access brokers would move to another RaaS organization or that there would be a change in the BlackCat’s ransomware’s brand after losing trust with them.

 

 

Period	Details
August 2020	Started as the DarkSide ransomware gang
July 2021	To avoid surveillance and tracking from law enforcement authorities due to the attack against Colonial Pipeline, the gang rebranded as BlackMatter
November 2021	Emsisoft creates a decryption tool leveraging a flaw in the ransomware, and the gang rebrands as ALPHV/BlackCat after its servers are seized

Table 1. Rebranding history of the BlackCat ransomware group

 

The case of the BlackCat ransomware gang’s DLS being taken down by law enforcement authorities last December provides significant takeaways presented below. 

• Persistence of cybercrime
• This case showed that cybercrime is a persistent phenomenon that cannot be fully eradicated even with the involvement of law enforcement authorities.
• Necessity of international cooperation
• Because cybercrimes traverse borders, international cooperation is required to effectively respond to them.
   

 

---

[1] https://www.bleepingcomputer.com/news/security/how-the-fbi-seized-blackcat-alphv-ransomwares-servers/