Feds Snarl ALPHV/BlackCat Ransomware Operation

Dark Web chatter indicates that Scattered Spider worked with the FBI to take down the BlackCat/ALPHV operation.

After nearly two weeks of speculation, the US Department of Justice has claimed credit for the takedown of ALPHV/BlackCat leak sites and infiltrating the ransomware groups network.
Experts speculate this could be a wrap for the ransomware group just in time for the holidays — sending its leadership into retirement and affiliates to try and find a new operator.
The FBI is also
offering a free decryptor
that it developed to help the more than 500 ALPHV/BlackCat victims it has identified to recover their systems.
According to the FBI warrant to search BlackCat property, unsealed today along with a DoJ announcement on the takedown, law enforcement was able to infiltrate the
BlackCat operation
with help from a confidential human source who applied with the group to become an affiliate. The informant was granted credentials to the ransomware groups dashboard used to manage breaches, extortion demands, and payments, giving law enforcement a way into the operation, the warrant said.
Just weeks ago, the FBI
received criticism
for not acting more quickly to arrest the brazen
Scattered Spider
group. But it could be that the cops were working another angle.
Yelisey Bohuslavskiy, chief research officer with RedSense, was among the first to publicly confirm that the BlackCat system outages were the result of law enforcement efforts, back on Dec. 8. He tells Dark Reading that ransomware ecosystem chatter is pointing to it being members of Scattered Spider who were working on the inside with the FBI.
This sounds compelling, as the only thing needed for such operation is an access to blog and data servers which a member of Scattered Spider may have had, Bohuslavskiy says.
This action by law enforcement sends a very strong message to ALPHV affiliates and other threat actors, Charles Carmakal, Mandiants consulting CTO for Google Cloud, explained to Dark Reading in an emailed comment. Some of the ALPHV affiliates are still active however, including UNC3944 (Scattered Spider). We expect some affiliates will continue their intrusions as normal, but they will likely try to establish relationships with other ransomware-as-a-service (RaaS) programs for encryption, extortion, and victim-shaming support.
The DoJ refers to these types of
cybersecurity law enforcement actions
as hack the hacker operations, and according to Michael McPherson, a former FBI special agent currently with ReliaQuest, they are intended to send the message to cybercriminals everywhere that they could be next.
“The desired effect of a disruption is to keep the criminals looking over their shoulder, McPherson says. Are they next? Are they already infiltrated by law enforcement?
Theres also the goal of undermining profitability for cybercrime gangs. McPherson added that law-enforcement organizations accept that it might not be realistic to expect a
takedown to totally dismantle sophisticated cybercrime rings
like BlackCat. Through these sophisticated hack the hacker takedowns they hope to at least slow them down and drive up the cost of committing cybercrimes.
Successful disruption of a group like BlackCat also signals to both current and potential victims that when they are breached by ransomware, there are viable alternatives to paying the extortion, McPherson says.
Helping 500 victims with a decryption tool in this instance will hopefully show organizations that collaborating with law enforcement is a far better option than paying the criminals, he explains. That said, ransomware remains highly profitable and it will not stop criminals trying their luck until the risk-reward dynamic changes.”
If history is any indicator, Bohuslavskiy is dubious the ALPHV/BlackCat operation will be able to recover from this takedown in any meaningful way.
Based on the previous cases of law enforcement agencies, organized crime groups do not recover from a critical infrastructure hit like a blog takedown, as this leads to their existential failure, he explains. The blog has everything, from encryption keys, to verified means of communications between group members.Bohuslavskiy predicts the ALPHV leadership will retire from the ransomware game after the FBI disruption.
AlphV had a very small crew of top-tier pen testers. They have made enough money to retire now, and there are very few crime collectives which has enough reputation to attract people with such skills — namely ex-Conti collectives like BlackSuit or
BlackBasta
, he explains. Since they wont have anywhere to go (
LockBit
is perceived as an extremely poorly government set up with an unstable admin and a comical support crew;
Hive
was dismantled, and smaller groups wont have enough money to pay the pentesters of this level), their logical path is to retire.
Making it easier to retire than continue the ransomware operation is precisely what the FBI was hoping to accomplish with the BlackCat/ALPHV operation.This is exactly why LEA is effective — it weaponizes the groups fatigue to the point of quitting, Bohuslavskiy adds. And because there are very few capable people across the ransomware domain, as they quit, the ransomware ecosystem degrades.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Feds Snarl ALPHV/BlackCat Ransomware Operation