How Law Enforcement Actions Break Down Ransomware (featuring a Black Cat)

Personal thoughts on the long-term impacts a Law Enforcement Action (LEA) can have on the threat ecosystem at large.

By Yelisey Bohuslavskiy, RedSense Chief Research Officer

Featuring Mr. Gorgeous the Cat 🐈
Mr. Gorgeous the Cat

Early on the morning of December 7th, while I was lounging with my black cat, Mr. Gorgeous, my team at RedSense informed me a federal offensive was taking place against ALPHV, coincidentally also known as BlackCat. Mr. Gorgeous seemed unphased by the news and continued to groom himself but I imagined ALPHV/BlackCat was absolutely furious their infrastructure had been brought down. (The action was officially confirmed on December 19, 2023)

I had been invited to a UK threat panel to present on BlackCat only a month prior so I checked in with the panel host. She said something to the effect of “Can you please change the subject of the presentation to something with a bigger ‘wow’ factor? BlackCat was a big deal when we scheduled the conference, but now that they’re gone, nobody cares about them that much”. Sic transit gloria mundi, indeed.

Screenshot of ALPHV’s collections site notice of seizure, which was posted by international law enforcement agencies after the site was taken down on December 19th. NOTE: At time of writing, BlackCat has temporarily replaced this notice with a redirect to a new underground domain.

This is, of course, a personal anecdote, and knowing how great the UK threat intel crew is, I know that they will care about BlackCat whether they’re online or off. But this anecdote relates to a larger discussion: What is the impact of “going offline” exactly? And what actually happens to ransomware groups such as BlackCat when such an operation succeeds?

Most importantly, what long-term impacts can an LEA (Law Enforcement Action) have on the threat ecosystem at large?

There is an undercurrent of skepticism regarding law enforcement operations against cybercrime groups, which is prevalent in the threat intel industry and media. I’m not talking about skepticism, which conveys a baseline misconstrual of the subject matter, such as “Takedowns don’t work because unless you arrest all of them, they will rebrand”. I will explain later why this logic is flawed from a real-world perspective, but to use a metaphor, this argument is essentially equivalent to saying, “Healthcare is not needed because people are still mortal and will die regardless”. Arguing against statements such as these is simply a waste of time—so I will leave this for some Twitter/X battles.

There is a more grounded and rational skepticism that is based on the fact that cybercrime will always have the advantage of novelty. And this is a big advantage. As one of my favorite professors at GWU Security Studies school, M.E. Bowman said in his “International Organised Crime” class:

“Cybercriminals are, by definition, always one step ahead; they come up with a crime, and we respond with a legal framework.”

The truth even extends beyond this: On the LE/defense side, we don’t even know what we are even allowed to do, exactly, when a completely new breed of crime emerges from the woodwork (in this case, ransomware). And when we do figure out how to reconcile our operations within an existing legal framework, we now need to understand what actually works in practice (which even criminals often don’t grasp). And at the end of the day, even when Law Enforcement performs a successful operation, it’s still unclear how to assess the results, and whether we can truly claim victory.

You can see that the other aspect of this criminal advantage is that it forces (no pun intended) the law to operate in the dark—legally, operationally, and analytically. This is why I’ve written this essay in the first place: to prove that Law Enforcement Actions are indeed working and to challenge the aforementioned skepticism by noting which aspects of LEAs were and are effective to this day and how the damage they did to specific ransomware groups led to their eventual demise.

I will be using cases that my team at RedSense (and formerly at AdvIntel) have been following for the past five years from an inside perspective of top ransomware collectives. I will use this perspective to provide an “adversarial vision” of LE’s best practices, which the actors believe present the highest level of threat.

There are five important aspects to the cycle of ransomware dismantlement:

  • Prevention
  • Deterrence
  • Containment
  • Erosion
  • Fatigue

What is interesting is that as you go further, these aspects build upon one another. In other words, each aspect works as a force multiplier for the others. Deterrence leads to further containment, which leads to an increase in erosion and fatigue—this then leads to further prevention, and the cycle repeats, although from a better starting position than the last time.

Disclaimer: Both Prevention and Deterrence are mainly theoretical, so if you’re looking for something more action-focused, jump straight to the “Containment” section.


Aspect 1. Prevention

This is both the easiest and hardest component of the LEA impact cycle to explain.

Prevention is, first and foremost, simple because any action against an adversarial group equals an opportunity cost for them.

The current preeminent example is the FBI’s attack on QBot in August 2023. No, BlackBasta and Cl0p (QBot’s sole users and conglomerates) did not immediately pop out of existence. BlackBasta jumped to the DarkGate loader instead. However, this was a life raft for them, not an improvement: The group lost their precursor access and had to change their entire attack pipeline as a result.

BlackBasta spent the summer harvesting QBot infections to focus on deployments during the Fall. However, when QBot went down, they were thrown back three months, and instead of hitting the dozens of pre-infected targets they had accumulated in one run, they instead had to collect new infections from scratch with an entirely different loader. This doesn’t even include the operational costs for the team to learn to use DarkGate and shift from one precursor to another.

There is a larger correlation between a ransomware shutdown and a shutdown of its botnet partners. This primary source data on 11,000,000 QBot infections in 2020 and 2021 highlights how REvil’s partnership with Qbot impacted its life cycle.

For that entire period of time, BlackBasta’s damage capability was stunted, and this was a major prevention win, saving unquantifiable millions in unexecuted attacks. The same quotient applies to every case discussed below: TrickBot, Emotet, Conti and HIVE, and of course, BlackCat.

A day, week, month, or year of a cybercriminal group focusing on remediation damages is a day, week, month, or year where they cannot prioritize inflicting damage.

The difficult part of this is the well-known “paradox of prevention,” which essentially states that if a bad thing is prevented, there is nothing to notice, and if it is noticed, this means it was not prevented. In other words, it’s nearly impossible to score prevention as a “win” because, paradoxically, when bad things are prevented, it looks like nothing is happening.*

* If you are curious about this, I suggest these great works:

Conflict Analysis: Understanding Causes, Unlocking Solutions by GWU’s very own Matthew Levinger, and Preventing Violent Conflicts; A Strategy for Preventive Diplomacy by Michael S. Lund (conceptual chapters here).


Aspect 2. Deterrence

Deterrence is a more direct and visible facet of prevention. Simply put, LE operations tend to turn into long-term boundaries, which keep the actors somewhat at bay.

A classic example is the closely related web of DarkSide, REvil, and Avaddon. This small but trusted circle of high-profile pentesters became so confident that they decided to break an unwritten rule of cybercrime: Not to engage in politics.

REvil made numerous political comments that threatened a firm allegedly affiliated with the then US President. They also attacked thousands of US companies, mainly MSPs, during the Kaseya VSA incident. To make matters worse, this all happened on Fourth of July weekend, with REvil publicly mocking the US on its national holiday.

At the same time, DarkSide hit the Colonial Pipeline and Avaddon began to use multiple encryption attacks against Chinese and Iranian entities while operating out of Russia.

RedSense’s data on Avaddon encryption deployments as of its shutdown in 2021. Note the high presence of attacks against Iran and China— a major political trigger leading to Avaddon’s downfall.

This culminated with the June 2021 Putin-Biden Summit. The Russian troops had been amassing at the Ukrainian border earlier that month, and the Russian dictator had some important things on the agenda to bargain with the Americans for his “act of goodwill” of not invading Ukraine. You can imagine how annoyed he was when half of the summit was about Russian cybercriminals instead.

As a result, the Russian LE (and partly the FBI) ran a large-scale operation, taking down all three groups in 2-3 months. DarkSide and Avaddon never recovered. At the same time, REvil (according to rumors) was at first dismantled, after which some of them were used as scapegoats in the January 2022 Russian arrests, and some were sent to work under the now-deceased Yevgeny Prigozhin.

REvil’s arrest, January 2022. Note that the group was dismantled twice: Once in July 2021, and then right before the beginning of Russia's invasion of Ukraine in 2022.

What is more important, however, is that since then, the actors have not only abstained from getting involved in politics but have also become tremendously more cautious in attacking critical infrastructure, which could possibly lead to “loud” consequences.

Ransomware groups were filtering out hospitals as well as .edu and .gov domains from their botnet precursor lists. Some even stuck to their promises not to attack schools and hospitals. A good example is Royal’s public deletion of school data from its underground blog with an apology, which took place this July.

Royal’s shame blog announcing a novel policy to avoid educational and healthcare targets. Braintree’s data was removed shortly after being posted on July 19, 2023.

While boundary lines are often being crossed and are not an ultimate cure (after rebranding to BlackSuit, the aforementioned Royal has begun attacking schools again), they still have a majorly positive impact, minimizing the potential scale of damages ransomware can yield over time.


Aspect 3. Containment

Containment is the practical combination of prevention and deterrence. It results from an ingrained fear of response, which groups are liable to have after seeing the results of an LEA. This fear locks the group in a rigid framework of preapproved methods and processes, cutting off their supply of fresh air and innovation.

Getting back to BlackCat—who built their name as the group that was rethinking all aspects of ransomware operations. As my principal researcher, Marley Smith, has written: “In a shifting threat landscape, BlackCat always lands on its feet.” Coming up with a Rust-built locker, being the first to move away from Cobalt Strike and one of the first groups to focus on exploiting ESXi, BlackCat substantially reworked the RaaS model, making it more resilient and safe for threat actors. If Conti were the ultimate traditionalists of ransomware, BlackCat were the progressives. This is why they were the first to begin actively penetrating the English-speaking cybercrime community with their alliance with Scattered Spider, which yielded their main victories.

It is unclear at this point if this was the cause of the government’s response. Rumors which sound logically compelling suggest that BlackCat’s infrastructural exposure came from this English-speaking side in the form of a disenfranchised or threatened Scattered Spider member. Whether this is true or not, it is obvious that other Russian-speaking top actors will not risk allying with the English-speaking groups again for security reasons. This cuts off new innovative approaches like the social engineering skills which were brought to BlackCat by their US-based affiliates.

This is particularly tangible when ransomware groups, even the best ones, suffocate from the lack of novel methods. Containment of innovation helps to circumvent the “novelty advantage” I spoke of earlier. With containment, we learn and they don’t. This enables the defensive team to hit the same spot repeatedly with increasing instead of diminishing returns. In the case of ransomware, be it HIVE or BlackCat, this “spot” is the group’s blog.


Aspect 4. Erosion

Top-tier ransomware groups have an interesting flaw: They change radically, operationally, logistically, structurally, and strategically, but they draw from the same small pool of individuals. Two or maybe three hundred actors are essentially the backbone of all of today’s ransomware APTs, and these are the same people, year after year.

Continuous pressure from law enforcement dries this pool up, exhausts their arsenal, and enables them to find weaknesses.

BlackCat, with its innovative approach to payload and deployment, was a great example of adaptability: Rust locker, non-CS, ESXi targeting semi-RaaS (or rather SaaS). Another great example is the post-Conti derivative BlackSuit, which has changed the paradigm entirely. Decentralized teams and servers, former REvil and DarkSide as its vassals, and use of Sliver malware, Brute Ratel, and Nighthawk instead of CS. IABs, instead of botnets. If you look at BlackSuit next to their Ryuk ancestors, no similarities can be seen. LockBit, who encompassed the old Ryuk guard, is also a great case of adaptation. Keeping the facade of a RaaS, their admin builds an entire horizontal network of secret alliances with BlackCat, Cl0p, BlackSuit, and other top pentesters. The admin scams his own affiliates on the RaaS sweatshop, with its cheap labor side, but shares massive equal profit on the elite alliance, if not the corporate side of things.

This adaptability and diversity came from constant change, which resulted from external pressure. But it is this pressure that revealed that even after changing everything, all of these groups are, at their core, the same. While the narrative changes and dissolves, the structure beneath (be it LockBit, BlackSuit, or BlackCat) remains.

What do you get when you combine communications, coordination, encryption, extortion, and administration? You get a ransomware blog. Take the blog out, and you kill the beast. Because when the blog goes down, erosion becomes a fatality. As Chairman Mao said: “Bombard the Headquarters.”

When a group’s blog goes down, credibility is lost, ransomware ID keys are exposed, communication is disrupted, hierarchy is dismantled, and trust is undermined. To state (as was commonly reiterated in regards to BlackCat takedown) that “taking down a site just pisses the actors off” is like saying that decapitating a snake only causes it to bite—it’s still technically true, but you’re missing the larger picture.

This is the main thing about the anti-blog operation—in the same way that the majority of living creatures die after losing their head, the majority of ransomware APTs die after their blog is taken down. Sometimes it just takes a second for it to kick in. This works just as effectively with BlackCat as it would with LockBit, HIVE, BlackBasta, BlackSuit, or just about any other ransomware APT.

Continuing grim metaphors, there is a well-known “Pyramid of Pain” approach to CTI. It ranks which methodologies have the highest damage inflicted on the adversary. Blog takedown is the absolute apex of this pyramid when it comes to ransomware. And it is because of previous LEAs eroding the overall ransomware landscape that we know this to be the case.

Pyramid of Pain in CTI. [Source]


Aspect 5. Fatigue

Fatigue is a combination of all four other aspects. It is also the last one before the cycle repeats, as fatigue leads back to prevention, and so on.

Ransomware groups, especially high-profile ones, are a fragile and loose architecture. They are kept together with a very thin layer of basic trust and a thick web of intrigue that consistently backfires. An offensive action burdens and eventually overwhelms this fragile balance.

The more you are hit, the more you need to rebuild.

At time of writing, BlackCat is currently initiating a “burn the house down” approach to rebuilding, removing previous rules regarding acceptable targets. Sure, in the short term, the actors will try to restore their capabilities, but after a while, they will give up. It’s much easier to knock down a house of cards than it is to build it back up again. See the following examples:

  • TrickBot was hit in 2020 and returned stronger and more stealthy several months later in the form of BazarBackdoor & BazarLoader. It was going on a retaliation spree and got AnchorDNS malware from Lazarus and a UEFI-level bootkit function for ultimate ransomware damages. It even had its own pocket ransomware, Diavol, and
 ended abruptly in late 2021 due to fatigue.
  • Emotet was hit in 2021, returned in the Summer of 2022 with its SpmTools form, hitting millions of IPs, only to suddenly die out for good in the fall of the same year.
  • Conti was hit in February 2022, lasted for another three months, disbanded in May 2022, and broke down into five groups. Of these five, three —Conti1 (Zeon), Conti4, and Conti5 (Silent Ransom)—died out, with Zeon being eaten by LockBit and Silent Ransom dying for good.***
  • HIVE was hit so hard that they didn’t even try to rebuild.

Emotet had a sharp return to business a year after its shutdown, but then several months after, the botnet experienced a steep and fatal decline, as pictured in the above infection rate chart.

Conti’s breakdown into smaller groups.

***Of course, it can be noted that, unlike Emotet, TrickBot, or HIVE, Conti still exists. However, theirs wasn’t a case of LEA and was instead the case of an operator (who for some reason, Twitter refers to as a researcher) betraying the conglomerate. Hence, this example is partial.

This is why the claim “Oh, the takedown doesn’t mean anything because unless you arrest them all, they rebrand or fight back harder” is simply incorrect.

People get tired. They get exhausted psychologically and physically. Pentesting is both tedious and sporadic and usually claims about one win per five to ten losses. If your group suffers a major hit and needs to rebuild, this causes internal conflicts and chaos. This may be enough to convince people to quit for good.

My grandfather, Benyamin, who commanded a recon and intel regiment during WWII, said that the worst thing during the war was not the fighting but the need to fight for the ground for a second time after retreating. He said that fighting for 500 feet of land to get it back is worse than fighting for 10 miles of ground you never held.

This works for the ransomware groups as well. BlackCat can create a new blog, for sure. Before the takedown, they were almost certainly planning on dumping old victim data on it to create the illusion of life within a dead shell. Conti, HIVE, REvil, and others who got hit have always used this strategy, but it didn’t save them.


Conclusion

ALPHV is still gutted—their website was seized, past victim data deleted, chats are down, and, most likely, decryption keys are lost. Trust and hierarchy have been eroded; other actors, even ones as pathetic as LockBitSupp, are mocking them on forums.

ALPHV admin: Denial, Anger, Bargaining, Depression, Acceptance.

And most importantly, their reputation—the intimidation with which it extorted victims— is gone.

Can they recover from this? Technically, yes. But will they? In my opinion, no. All of the others who got hit have died out entirely. Why would ALPHV be an exception? If I’m correct, then the silver bullet to Russian ransomware APTs has finally been found:

Hit their blogs, and let the fatigue do the rest.

I hope that this will be the LEA pattern in the future. In this case, we will finally start turning the tide in this long fight.