12 March 2024

8 min read

BlackCat/ALPHV shuts down in exit scam against partners | Cyber Intelligence Briefing: 12 March

March 2024
Cyber Intelligence Briefing


Top news stories this week

  1. Exit scam. BlackCat/ALPHV ceases operations after pocketing USD 22 million ransom payment.
  2. Crimewave. FBI report indicates over USD 12 billion lost to cyber crime in 2023.
  3. AI heist. Former Google employee indicted for stealing proprietary AI technology.
  4. Pull the plug. Belgium’s Duvel beer and Canada’s financial intelligence unit suffer operational disruption from major cyber incidents.
  5. In disguise. Financially motivated threat actor group TA4903 escalates BEC attacks through US agency impersonation.    
  6. Midnight Blizzard. Microsoft fends off persistent cyber attacks from hacker group linked to Russian intelligence.
  7. Starve the beast. Former NCSC head calls for ban on ransom payments.

Listen to the Cyber Intelligence Briefing

New call-to-action New call-to-action New call-to-action New call-to-action

1. BlackCat/ALPHV shuts down operations in exit scam against partners  

The infamous threat actor BlackCat/ALPHV has shut down their infrastructure and posted a fake law enforcement seizure notice on their leak site. The gang had allegedly just received a USD 22 million ransom payment from Change Healthcare, following an attack carried out by one of their affiliate partners. Various security researchers have described the move as an ‘exit scam’, as the affiliate claims to have never received their commission from BlackCat/ALPHV and still holds the stolen data.

So what?

The ransomware eco-system relies on anonymity and trust, but the move by BlackCat shows there is no honour among thieves. BlackCat’s operators may attempt to re-brand but affiliates will be wary of working with any group which is linked back to them.  

[Researcher: Jon Seland] 

2. FBI report indicates USD 12.5 billion lost to cyber crimes last year 

The FBI’s Internet Crime Complaint Centre (IC3)'s 2023 Internet Crimes Report has revealed a 22% increase in financial losses to online crime compared to 2022, hitting a record USD 12.5 billion. Business email compromises (BEC) accounted for USD 2.9 billion of these losses, while the estimated losses from ransomware were only USD 59.6 million.

So what?

These figures relate only to the 2,825 ransomware incidents registered with the IC3. The total losses to ransomware for 2023 are likely to be substantially higher. BEC victims in the US should reach out to the FBI's Recovery Asset Team to recover or freeze stolen funds.

[Researcher: Aditya Ganjam Mahesh]

3. Former Google employee indicted for stealing proprietary AI technology

The US department of Justice (DOJ) has indicted a former Google employee, Linwei (Leon) Ding, for stealing proprietary information related to the company's Artificial Intelligence (AI) technology. Ding then transferred this confidential information to two Chinese companies where he was secretly employed. The stolen proprietary information comprised detailed data about the architecture of hardware platforms, including the GPU and TPU systems, and the configurations of the software involved in the AI technology.

So what?

It's crucial for organisations to identify their most valuable proprietary information and meticulously set up and fortify their Data Loss Prevention (DLP) software around these assets.

[Researcher: Aditya Ganjam Mahesh]

New call-to-action


4. Belgian Brewer and Canadian anti-money laundering agency take systems offline to contain cyber incidents 

Belgian beer company Duvel has paused production at their breweries in Belgium and the US after receiving an alert of ransomware in their systems. Ransomware group Stormous recently claimed responsibility for the attack and allegedly stole 88GB of the brewer’s data.

Separately, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has taken down its corporate systems in response to a significant cyber incident.

So what?

Organisations should implement network segmentation to protect critical systems and reduce the operational impact of cyber attacks.

[Researcher: Adelaide Parker]

5. US government agencies impersonated in new wave of BEC attacks. 

A financially-motivated threat actor group has been impersonating US government agencies to steal corporate credentials and carry out follow-on business email compromise (BEC) attacks. The group, tracked as TA4903, commonly sends emails related to tender proposals with QR codes embedded in attached PDF files. The QR codes lead to credential stealing websites that replicate agency interfaces.

So what?

These sophisticated BEC attacks can evade common controls like email filtering software and bypass MFA. Organisations should adopt a defence-in-depth approach, relying on multiple security measures to protect them.

[Researcher: Ineta Simkunaite]

6. Microsoft fend off Russian state-backed cyber attack

Microsoft has warned its systems are being persistently attacked by Russian-sponsored group Midnight Blizzard. The group are reportedly intensifying attempts to infiltrate Microsoft's internal systems and code repositories by using stolen corporate email data through techniques such as password spraying. Despite these persistent and aggressive attacks, Microsoft has stated that no customer-facing systems have been compromised and is working with affected parties to carry out mitigating measures.

So what?

Midnight Blizzard has a history of targeting governments, diplomatic entities and NGOs, but the group’s focus on Microsoft raises concerns regarding potential to leverage the organisation's extensive network for subsequent attacks.

[Researcher: Amy Gregan]

7. Former NCSC head calls for governments to consider ban on ransom payments

The former head of the UK’s National Cyber Security Centre (NCSC) Cairan Martin wrote an op-ed in The Times newspaper last week calling for governments to ban ransom payments to cyber criminals. Martin argued that that the payments to cyber criminals should be treated like payments to kidnappers at proscribed terrorist organisations, but acknowledged the need for a framework to support private sector victims before a ban could be implemented.

So what?

Various government bodies and task forces have considered banning payments to tackle the ransomware problem, but no country has ever implemented an outright ban to date due to the potential impact on victims.

[Researcher: James Tytler]


The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.