Ransomware group ALPHV/BlackCat is still a primary threat to organizations around the world despite a marked decline in 2023, according to new research.
An investigation by ZeroFox tracking the activity of the ransomware-as-a-service (RaaS)gang shows although the group has conducted “significantly more” attacks so far in 2023, the group is losing ground in the overall digital extortion landscape.
Since January 2022, ALPHV was responsible for around 10% of all observed ransomware and digital extortion (R&DE) attacks around the world, yet according to ZeroFox data this share has been decreasing since Q2 2023.
North America is the primary region targeted by ALPHV threat actors, as is the case with other R&DE collectives, with about 56% of attacks focused on organizations in the region this year.
ALPHV is one of the top three most prolific threat collectives active in the NA region, ZeroFox’s report found. The five most targeted industries in the region include manufacturing, healthcare, financial services, legal & consulting, and retail.
The collective also occupies the number two spot in Europe, accounting forroughly 20% of all attacks.
ALPHV is still a big player, but is its popularity waning?
Daniel Curtism, senior intelligence analyst at ZeroFox, said ALPHV/BlackCat has been a major contributor to global R&DE activity in recent years, yet this activity may slow down over the coming year.
“ALPHV has been one of the most prominent ransomware and digital extortion (R&DE) threats to the majority of industries globally over the last two years. ”
“However, the extortion cartel’s blog is currently experiencing long periods of downtime, which happens from time to time in these ecosystems and is usually the result of an undisclosed law enforcement operation, inter-cartel strife, or network maintenance,” Curtis noted.
The downtime of the group's leak site, which first came offline on December 10, was explained by some analysts as the result of a law enforcement operation, but this has not been confirmed.
At the time of writing, ALPHV/BlackCat’s leak site is back online but only features four victims, as opposed to the hundreds of other victims normally listed on the site, suggesting things are not fully operational yet.
Inter-cartel strife is another possible cause for ALPHV/BlackCat’s availability struggles. There is speculation the group’s leak site setbacks may have resulted in a competing ransomware collective LockBit poaching recruits from ALPHV’s ranks.
Discover how Cloudflare Access simplifies the rollout of strong authentication across all types of resources
WATCH NOW
LockBit affiliates have been observed advertising their leak site to ALPHV/BlackCat affiliates, as well as trying to encourage these users to adopt their ransomware platform.
Previous research on LockBit’s activity found the group remains the most dangerous ransomware threat to organizations across the globe, and its expansion in recent months may come at the expense of other gangs including ALPHV.
Doubt around the availability of the group’s leak site could push associates to other ransomware leak sites in order to continue their extortion operations, Curtis suggested.
“Rumors abound in credible deep and dark web communities (DDW) as to what exactly is causing the blog and probably negotiation channels to remain down, with the most credible DDW sources indicating a probable law enforcement action being taken against the cartel ” Curtis explained.
“Any disruption will very likely only result in a temporary suppression of the threat from its operatives. If unable to continue deploying the strain, ALPHV affiliates will very likely quickly pivot to other R&DE offerings and continue targeting victims at scale and at pace.”
