“Law enforcement is moving a lot faster, but it is still not fast enough,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “It takes a while to build a case, and in the meantime these groups wreak havoc.”

Part of the reason for law enforcement’s delay in attempting to take down Alphv’s infrastructure may have been an ongoing investigation into the actors behind the group. Alphv/BlackCat seems to have evolved from a gang referred to as BlackMatter, which, in flip, appeared to emerge as a recombination of the notorious Darkside ransomware group that targeted Colonial Pipeline within the US.

“This isn’t their first shit show. Unfortunately, it probably won’t be their last either,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “But Alphv’s partners in crime will be wondering, what information law enforcement was able to collect? And who does it implicate?”

The takedown effort involved collaboration and parallel investigations from multiple law enforcement agencies, including those in the United Kingdom, Australia, Germany, Spain, and Denmark. The US Justice Department said Tuesday that a decryptor tool for the Alphv ransomware that was developed by the FBI has already helped more than 500 victims recover from attacks and avoid paying roughly $68 million in ransoms.

As ransomware groups rely more on a hybrid model, in which much of their leverage for extortion comes from the threat that they will leak data stolen from victims, decryptors are only one of many tools needed to help victims avoid paying ransoms. But Alphv’s attempt on Tuesday afternoon to let its customers use its ransomware for attacks on vital services like hospitals and nuclear plants made the existence of the decryptor more significant, given how dangerous and disruptive that activity might be.

“The statement about targeting critical infrastructure is pretty concerning. This will be an ongoing battle, for sure. Law enforcement will have to aggressively roll out the decryption keys and tools for victims,” says Alex Leslie, a threat intelligence analyst at Recorded Future. “And data extortion is still on the table. Generally speaking, data extortion wouldn’t be as disruptive in terms of a national security crisis in the short term, but who knows.”

A search warrant launched by the FBI says that legislation enforcement received login credentials for the ransomware gang’s platforms from a “confidential human source” with entry to the group. Though it was not instantly clear how Alphv had “unseized” its web site following the legislation enforcement motion, researchers started to coalesce round some theories on Tuesday afternoon. Since each the cybercriminals and legislation enforcement had entry to the login keys, it is potential that a number of websites have been registered to the same Tor address or that Alphv was in a position so as to add one other registration after which level the positioning to servers that legislation enforcement didn’t management. In the identical method, although, legislation enforcement’s presumably deep entry to the gang’s infrastructure is probably going what allowed it to retake the positioning.

The US Justice Department noted Tuesday morning that people with information about Alphv/Blackcat and its affiliates should come forward and may still be may be eligible for a reward through the US State Department.

Updated 12/19/23, 2:55 pm ET to replicate that legislation enforcement reestablished its management of Alphv’s dark-web leak web site.