Thurgau police are helping to stop one of Russia’s most dangerous ransomware gangs

The official point of contact of the infamous ransomware gang ALPHV (also known as “Blackcat”) has been closed by law enforcement authorities.

A familiar banner was displayed on the gang’s darknet page on Tuesday: the US Federal Police FBI informed about the seizure of the website.

The FBI, the US Department of Justice and several European security services, including the Aargau cantonal police, were involved in the international operation.

Media spokesperson Andy Theler confirms:

The Thurgau cantonal police are currently not allowed to say anything more about the complex investigations, which are reportedly still ongoing. This is probably one of the largest cases of ransomware crime to date, if not the largest.

The Federal Bureau of Investigation (FBI) is responsible for international communications.

Studies are underway on at least three continents: North America, Europe and Australia.

Also involved include the National Crime Agency (NCA) in Britain and the Directorate of State Security and Intelligence (DSN) in Germany, the Spanish and Austrian National Police, the Danish Special Crime Unit, as well as the Australian Federal Police and, if European coordination body, Europol.

What makes the operation so special?

According to a detailed press release from the US Department of Justice, the FBI has developed a decryption tool. The software allows U.S. Federal Police field offices and law enforcement agencies around the world to help more than 500 affected victims recover encrypted data.

The FBI has now worked with dozens of victims across the United States and internationally to implement this solution. Several victims were rescued from ransom demands totaling approximately $68 million.

According to a search warrant released Tuesday in the Southern District of Florida, U.S. federal law enforcement was able to gain access to the ransomware group’s computer network as part of the investigation and ultimately seize several websites operated by the group.

The search warrant states that a confidential informant gained access to the AHV infrastructure. In other words: the investigators were able to smuggle in one person. And this person gave them access to important data. In concrete terms: the secret keys with which cybercriminals encrypted their victims’ data.

How dangerous is ALPHV?

ALPHV is one of the most dangerous and active ransomware gangs in the world. Since 2019, it has attacked thousands of companies and other organizations. The Russian-speaking financiers followed the Ransomware-as-a-Service (RaaS) business model. This means that they collaborated with business partners (affiliates) in the West.

The gang was active until a few days ago. She recently disclosed, among other things, a cyber attack on the German Energy Agency (Dena).

Over the past 18 months, ALPHV has become the second most common RaaS variant in the world, as measured by the hundreds of millions of dollars in ransoms paid by victims around the world. Due to the global scale of these crimes, law enforcement authorities in several countries conducted parallel investigations.

ALPHV targeted a wide range of industries, including critical infrastructure operators, financial sector companies, government education organizations and industrial companies. However, the exact number of victims and the full extent of the damage remain unknown.

One of the gang’s special characteristics is their ruthlessness. The cybercriminals published images of breast cancer patients, among other things, to put even more pressure on a victim. And recently they even exposed those who were unwilling to pay the U.S. Securities and Exchange Commission.

Is this definitively the end of ALPHV?

That’s not clear.

VX Underground, an independent online project specialized in malware research and whose operators have excellent connections in the Russian-speaking cyber underworld, suspected the case on Tuesday.

This is published by malware researchers who maintain contact with the largest ransomware groups an excerpt from an alleged conversation with the ALPHV manager. It is claimed that “an old domain” belonging to the gang has been seized by the FBI. And you have “the servers and blogs [an einen anderen Ort] delay”.

But even if the gang managed to move to a separate server, increased law enforcement attention would likely limit the willingness of criminal members to join the gang. Some experts speculate that the supposedly functional website is a “honeypot” set up by the FBI.

The gang’s main darknet page went offline in early December and was inaccessible for several days. Subsequently, rumors spread relatively quickly that it had been closed down by law enforcement authorities. The gang categorically denied such allegations. But now it appears that the cybercriminals lied.

Sources