Seemingly stunned by this week’s action by law enforcement agencies in several countries, members of two ransomware groups allegedly talked about forming a partnership.
Security researchers on Twitter/X posted an online conversation that appears to be between a member of the AlphV/BlackCat ransomware group, whose sites were taken down, and a member of the LockBit ransomware gang.
“LockBit is right, we should all join a cartel or they will hunt us all down one by one,” an alleged AlphV/BlackCat gang member said.
In a commentary, Keegan Keplinger, senior security researcher with eSentire’s Threat Response Unit, noted that “as of December 21, AlphV still has a blog site up and running, and they posted a new victim as recently as December 20, alongside several other recent victims, who had appeared previously on their main data leak site.
“Whether or not the AlphV ransomware group rebrands to a new ransomware or not, it’s likely they’ll maintain most of their affiliate relationships to some degree. Because they face disruption efforts, some affiliates may be cautious not to invest time and energy into operations that may be disrupted or sanctioned from ransomware payments. However, if AlphV rebrands, they get to reset their heat meter with law enforcement while maintaining much of the relationships and reputation they’ve developed in the cybercrime market.”
One of the AlphV/BlackCat gang’s most loyal and longtime affiliates is the Gootloader cybercrime group, Keplinger noted. The Gootloader operators, like the leaders of the AlphV/BlackCat, are Russian-speaking, and they have been running sophisticated, meticulously-planned attack campaigns, non-stop, for the past three and a half years.
Gootloader is a browser-based threat delivered through search engine optimization (SEO) poisoning. The gang has hijacked thousands of vulnerable WordPress blogs and injected them with malicious content, linked to no fewer than 3.5 million search terms, many of which are legal terms. As a result, a lawyer or paralegal who searches the Web for specific content, such as a type of legal agreement, may find the top search result leads to a Gootloader-infected file. The Gootloader operation infects about 30 computers a day on average, eSentire said.
The assault on AlphV/BlackCat raises the question of how the operators of Gootloader will respond, Keplinger said. It might drop AlphV/BlackCat in favour of another ransomware strain, such as LockBit or Clop (Cl0p), he said.
This year, the FBI took down the Hive ransomware gang and arrested the alleged head of BreachForums. The alleged operators behind DoppelPaymer ransomware gang were arrested. And the suspected developer of the Ragnar Locker ransomware gang was nabbed in Paris.
