The infamous LockBit ransomware operation has taken a new turn in its expansion, recruiting BlackCat/ALPHV and NoEscape affiliates and developers after recent outages and exit scams in these operations. Last week, the Tor websites of NoEscape and the BlackCat/ALPHV ransomware operation suddenly became inaccessible, leaving the cybersecurity community on alert.
Affiliates linked to NoEscape claimed that the ransomware operators carried out an exit scam, pocketing millions of dollars in ransom payments and shutting down the operation’s web panels and data leak sites. It is speculated that NoEscape could be a rebranding of the Avaddon operation, which closed in June 2021 and released its decryption keys.
In parallel, the BlackCat/ALPHV ransomware operation experienced a 5-day outage, with its entire infrastructure offline, including its data leak and trading sites. Although the ALPHV data leak site returned on Monday, all data was deleted, and some trading URLs are still not working, halting trading for many victims. The ALPHV administrator attributed the outage to a suspected hardware failure, while the FBI declined to comment on the outages
In an unexpected turn, LockBit has taken advantage of these disruptions to recruit affiliates from BlackCat and NoEscape. LockBitSupp, LockBit’s operations manager, has urged affiliates to use their data breach site and trading panel to continue extorting victims, as long as they possess backup copies of the stolen data. Additionally, LockBitSupp is trying to recruit the coder of the ALPHV encryptor.
Uncertainty reigns over whether affiliates and penetration testers have lost confidence in BlackCat and NoEscape, and whether they are migrating to other operations. However, a BlackCat victim has already been identified on the LockBit data leak site, indicating possible affiliate movements between operations.
With LockBit currently positioned as the largest ransomware operation, LockBitSupp considers the BlackCat outages a “Christmas Present.” As the situation evolves, expect increased vigilance on potential rebranding and dynamics in the shadowy world of ransomware.
