View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 11, 2023

With ransomware leak site offline, has BlackCat run out of lives?

The group, also known as Alphv, has been out of action for days. Have law enforcement agencies struck?

By Matthew Gooding

BlackCat’s dark web has been offline for five days, and security researchers believe the ransomware gang may have been targeted by law enforcement agencies. If confirmed, it may be the end of the road for one of the most active cybercriminal gangs currently in operation.

Have BlackCat’s nine lives run out? (Photo by Anna Krivitskaya/Shutterstock)

The site where BlackCat, also known as Alphv, posts details of its victims, went down on Thursday 7 December and has yet to be restored.

Does BlackCat have its tail between its legs?

The prolonged outage has led to speculation that the group may have been targeted in a law enforcement sting.

Other cybercriminals certainly seem to think so. Yelisey Bohuslavkiy, chief research officer at security vendor RedSense, says he has spoken to administrators at groups including LockBit and Black Basta, which are known to have links to Black Cat, who confirmed the group has been disrupted by police.

However, he added on X that the group’s admin maintains that “everything will work soon”, suggesting BlackCat expects to be back up and running.

Security vendor ReliaQuest notes that BlackCat’s site has “a history of connectivity issues”, with periodic outages, but this is one of the longest the gang has faced.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Whatever the cause, ReliaQuest says the problem could lead to hackers affiliated with BlackCat joining other groups or starting their own gangs. “This disruption would force affiliates to move on to other ransomware affiliate programs or develop their own,” the company said. “Previously, these types of law enforcement actions have resulted in affiliates spreading into new affiliate programs, bringing in experience from previous programs.”

Reliaquest’s researchers point out that BlackCat itself is thought to have formed when former affiliates of two other ransomware groups, DarkSide and BlackMatter, joined forces.

Law enforcement agencies have been taking on ransomware gangs with increasing regularity in recent months. In January, the Hive group was taken offline in a raid by Interpol, while in August an FBI-led operation disrupted Qakbot, a botnet which had infected over 700,000 devices. Then in October, RagnarLocker had its dark web portal seized by police led by Europol.

BlackCat’s lengthy list of victims

Believed to operate out of Russia, BlackCat has claimed a host of victims over the past two years including social network Reddit, the Munster Technical UniversityBarts Health NHS Trust, watchmaker Seiko and technology vendor Casepoint. It is also thought to be behind a breach of UK law firm Sills & Bettridge that occurred last month.

The group raised eyebrows after an apparent hack on financial software provider MeridianLink by claiming to have reported its victim to the US financial regulator the SEC. BlackCat said it was making the complaint because MeridianLink had “failed to file the requisite disclosure under Item 1.05 of Form 8-K with[in] the stipulated four business days, as mandated by the new SEC rules”. Ransomware gangs are known to use such tactics to try and convince their victims to pay up, with the threat of a fine often exceeding that of the demanded ransom.

Read more: BlackCat uses Microsoft drivers to avoid detection

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.