Despite law enforcement efforts to take down the notorious ALPHV/BlackCat ransomware gang, the cybercriminals are not going down without a fight.
Latest developments have shown that the site that was supposedly ‘taken down’ by the FBI has now been ‘unseized.’
The US Department of Justice (DoJ) announced a technical operation against BlackCat on December 19, this was accompanied by a notice on the group's website stating its seizure by the FBI.
However, some hours later, the group responded with its own notice on the original main leak site.
A Tussle With the FBI
“We’re in a situation where law enforcement and the operators of BlackCat both have the private key to the Tor .onion site and are therefore able to create different sites at the same URL,” Tim Mitchell, a senior threat researcher at the Secureworks Counter Threat Unit, explained to Infosecurity.
“The site with the most recent changes is most likely the one visitors will be greeted with. Law enforcement may be reluctant to engage in a back-and-forth and as it might undermine perception of the effectiveness of their efforts.”
Tim West, head of cyber threat intelligence at WithSecure, said: “Seizing of dark web infrastructure works in a different manner to seizing web pages on the surface web. ‘Owners’ of a hostname will be able to publish on that hostname if the publisher holds the correct private key. If two entities hold the same private key, then they can essentially each update the resource - and jostle for control of the blog."
West explained that, in theory, two entities can hold the same private key by accident if hostnames clash, but the chances of this are mathematically remote, and both the FBI warrant and BlackCat’s commentary allude to the employment of an insider.
Commenting on social media, Alexander Leslie, a threat intelligence analyst at Recorded Future, said: “As long as ALPHV retains their private keys, they’ll still have access to the blog. They could also spin up a second server. It’s not some incredible feat of intellect.”
No tags.
