BlackCat’s dark web has been offline for five days, and security researchers believe the ransomware gang may have been targeted by law enforcement agencies. If confirmed, it may be the end of the road for one of the most active cybercriminal gangs currently in operation.

Have BlackCat’s nine lives run out? (Photo by Anna Krivitskaya/Shutterstock)

The site where BlackCat, also known as Alphv, posts details of its victims, went down on Thursday 7 December and has yet to be restored.

Does BlackCat have its tail between its legs?

The prolonged outage has led to speculation that the group may have been targeted in a law enforcement sting.

Other cybercriminals certainly seem to think so. Yelisey Bohuslavkiy, chief research officer at security vendor RedSense, says he has spoken to administrators at groups including LockBit and Black Basta, which are known to have links to Black Cat, who confirmed the group has been disrupted by police.

However, he added on X that the group’s admin maintains that “everything will work soon”, suggesting BlackCat expects to be back up and running.

Security vendor ReliaQuest notes that BlackCat’s site has “a history of connectivity issues”, with periodic outages, but this is one of the longest the gang has faced.

Whatever the cause, ReliaQuest says the problem could lead to hackers affiliated with BlackCat joining other groups or starting their own gangs. “This disruption would force affiliates to move on to other ransomware affiliate programs or develop their own,” the company said. “Previously, these types of law enforcement actions have resulted in affiliates spreading into new affiliate programs, bringing in experience from previous programs.”

Reliaquest’s researchers point out that BlackCat itself is thought to have formed when former affiliates of two other ransomware groups, DarkSide and BlackMatter, joined forces.

Law enforcement agencies have been taking on ransomware gangs with increasing regularity in recent months. In January, the Hive group was taken offline in a raid by Interpol, while in August an FBI-led operation disrupted Qakbot, a botnet which had infected over 700,000 devices. Then in October, RagnarLocker had its dark web portal seized by police led by Europol.

BlackCat’s lengthy list of victims

Believed to operate out of Russia, BlackCat has claimed a host of victims over the past two years including social network Reddit, the Munster Technical UniversityBarts Health NHS Trust, watchmaker Seiko and technology vendor Casepoint. It is also thought to be behind a breach of UK law firm Sills & Bettridge that occurred last month.

The group raised eyebrows after an apparent hack on financial software provider MeridianLink by claiming to have reported its victim to the US financial regulator the SEC. BlackCat said it was making the complaint because MeridianLink had “failed to file the requisite disclosure under Item 1.05 of Form 8-K with[in] the stipulated four business days, as mandated by the new SEC rules”. Ransomware gangs are known to use such tactics to try and convince their victims to pay up, with the threat of a fine often exceeding that of the demanded ransom.

Read more: BlackCat uses Microsoft drivers to avoid detection