fbi

US woman arrested, accused of targeting young boys in $1.7M sextortion scheme

Apple Pay, cash app, child safety, department of justice, fbi, Instagram, Policy, sextortion, Snapchat, teen sextortion / Blake Jones / April 15, 2024

Preventing leaks —

FBI has warned of significant spike in teen sextortion in 2024.

Ashley Belanger – Apr 15, 2024 8: 24 pm UTC

A 28-year-old Delaware woman, Hadja Kone, was arrested after cops linked her to an international sextortion scheme targeting thousands of victims—mostly young men and including some minors, the US Department of Justice announced Friday.

Citing a recently unsealed indictment, the DOJ alleged that Kone and co-conspirators “operated an international, financially motivated sextortion and money laundering scheme in which the conspirators engaged in cyberstalking, interstate threats, money laundering, and wire fraud.”

Through the scheme, conspirators allegedly sought to extort about $6 million from “thousands of potential victims,” the DOJ said, and ultimately successfully extorted approximately $1.7 million.

Young men from the United States, Canada, and the United Kingdom fell for the scheme, the DOJ said. They were allegedly targeted by scammers posing as “young, attractive females online,” who initiated conversations by offering to send sexual photographs or video recordings, then invited victims to “web cam” or “live video chat” sessions.

“Unbeknownst to the victims, during the web cam/live video chats,” the DOJ said, the scammers would “surreptitiously” record the victims “as they exposed their genitals and/or engaged in sexual activity.” The scammers then threatened to publish the footage online or else share the footage with “the victims’ friends, family members, significant others, employers, and co-workers,” unless payments were sent, usually via Cash App or Apple Pay.

Much of these funds were allegedly transferred overseas to Kone’s accused co-conspirators, including 22-year-old Siaka Ouattara of the West African country the Ivory Coast. Ouattara was arrested by Ivorian authorities in February, the DOJ said.

“If convicted, Kone and Ouattara each face a maximum penalty of 20 years in prison for each conspiracy count and money laundering count, and a maximum penalty of 20 years in prison for each wire fraud count,” the DOJ said.

The FBI has said that it has been cracking down on sextortion after “a huge increase in the number of cases involving children and teens being threatened and coerced into sending explicit images online.” In 2024, the FBI announced a string of arrests, but none of the schemes so far have been as vast or far-reaching as the scheme that Kone allegedly helped operate.

In January, the FBI issued a warning about the “growing threat” to minors, warning parents that victims are “typically males between the ages of 14 to 17, but any child can become a victim.” Young victims are at risk of self-harm or suicide, the FBI said.

“From October 2021 to March 2023, the FBI and Homeland Security Investigations received over 13,000 reports of online financial sextortion of minors,” the FBI’s announcement said. “The sextortion involved at least 12,600 victims—primarily boys—and led to at least 20 suicides.”

For years, reports have shown that payment apps have been used in sextortion schemes with seemingly little intervention. When it comes to protecting minors, sextortion protections seem sparse, as neither Apple Pay nor Cash App appear to have any specific policies to combat the issue. However, both apps only allow minors over 13 to create accounts with authorized adult supervisors.

Apple and Cash App did not immediately respond to Ars’ request to comment.

Instagram, Snapchat add sextortion protections

Some social media platforms are responding to the spike in sextortion targeting minors.

Last year, Snapchat released a report finding that nearly two-thirds of more than 6,000 teens and young adults in six countries said that “they or their friends have been targeted in online ‘sextortion’ schemes” across many popular social media platforms. As a result of that report and prior research, Snapchat began allowing users to report sextortion specifically.

“Under the reporting menu for ‘Nudity or sexual content,’ a Snapchatter’s first option is to click, ‘They leaked/are threatening to leak my nudes,'” the report said.

Additionally, the DOJ’s announcement of Kone’s arrest came one day after Instagram confirmed that it was “testing new features to help protect young people from sextortion and intimate image abuse, and to make it more difficult for potential scammers and criminals to find and interact with teens.”

One feature will by default blur out sexual images shared over direct message, which Instagram said would protect minors from “scammers who may send nude images to trick people into sending their own images in return.” Instagram will also provide safety tips to anyone receiving a sexual image over DM, “encouraging them to report any threats to share their private images and reminding them that they can say no to anything that makes them feel uncomfortable.”

Perhaps more impactful, Instagram claimed that it was “developing technology to help identify where accounts may potentially be engaging in sextortion scams, based on a range of signals that could indicate sextortion behavior.” Having better signals helps Instagram to make it “harder for potential sextortion accounts to message or interact with people,” the platform said, by hiding those requests. Instagram also by default blocks adults from messaging users under 16 in some countries and under 18 in others.

Instagram said that other tech companies have also started “sharing more signals about sextortion accounts” through Lantern, a program that Meta helped to found with the Tech Coalition to prevent child sexual exploitation. Snapchat also participates in the cross-platform research.

According to the special agent in charge of the FBI’s Norfolk field office, Brian Dugan, “one of the best lines of defense to stopping a crime like this is to educate our most vulnerable on common warning signs, as well as empowering them to come forward if they are ever victimized.”

Both Instagram and Snapchat said they were also increasing sextortion resources available to educate young users.

“We know that sextortion is a risk teens and adults face across a range of platforms, and have developed tools and resources to help combat it,” Snap’s spokesperson told Ars. “We have extra safeguards for teens to protect against unwanted contact, and don’t offer public friend lists, which we know can be used to extort people. We also want to help young people learn the signs of this type of crime, and recently launched in-app resources to raise awareness of how to spot and report it.”

US woman arrested, accused of targeting young boys in $1.7M sextortion scheme Read More »

DOJ quietly removed Russian malware from routers in US homes and businesses

Biz & IT, china, DDoS, department of justice, DoJ, Fancy Bear, fbi, routers, russia, Security, ubiquiti / Ari B / February 18, 2024

Fancy Bear —

Feds once again fix up compromised retail routers under court order.

Kevin Purdy – Feb 16, 2024 4: 37 pm UTC

Ethernet cable plugged into a router LAN port — Getty Images

More than 1,000 Ubiquiti routers in homes and small businesses were infected with malware used by Russian-backed agents to coordinate them into a botnet for crime and spy operations, according to the Justice Department.

That malware, which worked as a botnet for the Russian hacking group Fancy Bear, was removed in January 2024 under a secret court order as part of “Operation Dying Ember,” according to the FBI’s director. It affected routers running Ubiquiti’s EdgeOS, but only those that had not changed their default administrative password. Access to the routers allowed the hacking group to “conceal and otherwise enable a variety of crimes,” the DOJ claims, including spearphishing and credential harvesting in the US and abroad.

Unlike previous attacks by Fancy Bear—that the DOJ ties to GRU Military Unit 26165, which is also known as APT 28, Sofacy Group, and Sednit, among other monikers—the Ubiquiti intrusion relied on a known malware, Moobot. Once infected by “Non-GRU cybercriminals,” GRU agents installed “bespoke scripts and files” to connect and repurpose the devices, according to the DOJ.

The DOJ also used the Moobot malware to copy and delete the botnet files and data, according to the DOJ, and then changed the routers’ firewall rules to block remote management access. During the court-sanctioned intrusion, the DOJ “enabled temporary collection of non-content routing information” that would “expose GRU attempts to thwart the operation.” This did not “impact the routers’ normal functionality or collect legitimate user content information,” the DOJ claims.

“For the second time in two months, we’ve disrupted state-sponsored hackers from launching cyber-attacks behind the cover of compromised US routers,” said Deputy Attorney General Lisa Monaco in a press release.

The DOJ states it will notify affected customers to ask them to perform a factory reset, install the latest firmware, and change their default administrative password.

Christopher A. Wray, director of the FBI, expanded on the Fancy Bear operation and international hacking threats generally at the ongoing Munich Security Conference. Russia has recently targeted underwater cables and industrial control systems worldwide, Wray said, according to a New York Times report. And since its invasion of Ukraine, Russia has focused on the US energy sector, Wray said.

The past year has been an active time for attacks on routers and other network infrastructure. TP-Link routers were found infected in May 2023 with malware from a reportedly Chinese-backed group. In September, modified firmware in Cisco routers was discovered as part of a Chinese-backed intrusion into multinational companies, according to US and Japanese authorities. Malware said by the DOJ to be tied to the Chinese government was removed from SOHO routers by the FBI last month in similar fashion to the most recently revealed operation, targeting Cisco and Netgear devices that had mostly reached their end of life and were no longer receiving security patches.

In each case, the routers provided a highly valuable service to the groups; that service was secondary to whatever primary aims later attacks might have. By nesting inside the routers, hackers could send commands from their overseas locations but have the traffic appear to be coming from a far more safe-looking location inside the target country or even inside a company.

Similar inside-the-house access has been sought by international attackers through VPN products, as in the three different Ivanti vulnerabilities discovered recently.

DOJ quietly removed Russian malware from routers in US homes and businesses Read More »

Cops arrest 17-year-old suspected of hundreds of swattings nationwide

California, fbi, Florida, Policy, serial swatter, serial swatting, SWATting / Ari B / February 1, 2024

Coordinated effort —

Police traced swatting calls to teen’s home IP addresses.

Ashley Belanger – Feb 1, 2024 9: 32 pm UTC

Enlarge / Booking photo of Alan Filion, charged with multiple felonies connected to a “swatting” incident at the Masjid Al Hayy Mosque in Sanford, Florida.

Police suspect that a 17-year-old from California, Alan Filion, may be responsible for “hundreds of swatting incidents and bomb threats” targeting the Pentagon, schools, mosques, FBI offices, and military bases nationwide, CNN reported.

Swatting occurs when fraudulent calls to police trigger emergency response teams to react forcefully to non-existent threats.

Recently extradited to Florida, Filion was charged with multiple felonies after the Seminole County Sheriff’s Office (SCSO) traced a call where Filion allegedly claimed to be a mass shooter entering the Masjid Al Hayy Mosque in Sanford, Florida. The caller played “audio of gunfire in the background,” SCSO said, while referencing Satanism and claiming he had a handgun and explosive devices.

Approximately 30 officers responded to the call in May 2023, then determined it was a swatting incident after finding no shooter and confirming that mosque staff was safe. In a statement, SCSO Sheriff Dennis Lemma said that “swatting is a perilous and senseless crime, which puts innocent lives in dangerous situations and drains valuable resources” by prompting a “substantial law enforcement response.”

Seminole County authorities coordinated with the FBI and Department of Justice to track the alleged “serial swatter” down, ultimately arresting Filion on January 18. According to SCSO, police were able to track down Filion after he allegedly “created several accounts on websites offering swatting services” that were linked to various IP addresses connected to his home address. The FBI then served a search warrant on the residence and found “incriminating evidence.”

Filion has been charged as an adult for a variety of offenses, including making a false report while facilitating or furthering an act of terrorism. He is currently being detained in Florida, CNN reported.

Earlier this year, Sen. Rick Scott (R-Fla.) introduced legislation to “crack down” on swattings after he became a target at his home in December. If passed, the Preserving Safe Communities by Ending Swatting Act would impose strict penalties, including a maximum sentence of 20 years in prison for any swatting that lead to serious injuries. If death results, bad actors risk a lifetime sentence. That bill is currently under review by the House Judiciary Committee.

“We must send a message to the cowards behind these calls—this isn’t a joke, it’s a crime,” Scott said.

Last year, Sen. Chuck Schumer (D-NY) warned that an “unprecedented wave” of swatting attacks in just two weeks had targeted 11 states, including more than 200 schools across New York. In response, Schumer called for over $10 million in FBI funding to “specifically tackle the growing problem of swatting.”

Schumer said it was imperative that the FBI begin tracking the incidents more closely, not just to protect victims from potentially deadly swattings, but also to curb costs to law enforcement and prevent unnecessary delays of emergency services tied up by hoax threats.

As a result of Schumer’s push, the FBI announced it would finally begin tracking swatting incidents nationwide. Hundreds of law enforcement agencies and police departments now rely on an FBI database to share information on swatting incidents.

Coordination appears to be key to solving these cases. Lemma noted that SCSO has an “unwavering dedication” to holding swatters accountable, “regardless of where they are located.” His office confirmed that investigators suspect that Filion may have also been behind “other swatting incidents” across the US. SCSO said that it will continue coordinating with local authorities investigating those incidents.

“Make no mistake, we will continue to work tirelessly in collaboration with our policing partners and the judiciary to apprehend swatting perpetrators,” Lemma said. “Gratitude is extended to all agencies involved at the local, state, and federal levels, and this particular investigation and case stands as a stern warning: swatting will face zero tolerance, and measures are in place to identify and prosecute those responsible for such crimes.”

Cops arrest 17-year-old suspected of hundreds of swattings nationwide Read More »

Chinese malware removed from SOHO routers after FBI issues covert commands

Biz & IT, chinese govvernent, fbi, malware, routers, Security, take-downs / Ryan Harris / January 31, 2024

REBOOT OR, BETTER yet, REPLACE YOUR OLD ROUTERS! —

Routers were being used to conceal attacks on critical infrastructure.

Dan Goodin – Jan 31, 2024 11: 34 pm UTC

A wireless router with an Ethernet cable hooked into it. — Enlarge / A Wi-Fi router.

The US Justice Department said Wednesday that the FBI surreptitiously sent commands to hundreds of infected small office and home office routers to remove malware China state-sponsored hackers were using to wage attacks on critical infrastructure.

The routers—mainly Cisco and Netgear devices that had reached their end of life—were infected with what’s known as KV Botnet malware, Justice Department officials said. Chinese hackers from a group tracked as Volt Typhoon used the malware to wrangle the routers into a network they could control. Traffic passing between the hackers and the compromised devices was encrypted using a VPN module KV Botnet installed. From there, the campaign operators connected to the networks of US critical infrastructure organizations to establish posts that could be used in future cyberattacks. The arrangement caused traffic to appear as originating from US IP addresses with trustworthy reputations rather than suspicious regions in China.

Seizing infected devices

Before the takedown could be conducted legally, FBI agents had to receive authority—technically for what’s called a seizure of infected routers or “target devices”—from a federal judge. An initial affidavit seeking authority was filed in US federal court in Houston in December. Subsequent requests have been filed since then.

“To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process,” an agency special agent wrote in an affidavit dated January 9. “This command will also stop the Target Device from operating as a VPN node, thereby preventing the hackers from further accessing Target Devices through any established VPN tunnel. This command will not affect the Target Device if the VPN process is not running, and will not otherwise affect the Target Device, including any legitimate VPN process installed by the owner of the Target Device.”

Wednesday’s Justice Department statement said authorities had followed through on the takedown, which disinfected “hundreds” of infected routers and removed them from the botnet. To prevent the devices from being reinfected, the takedown operators issued additional commands that the affidavit said would “interfere with the hackers’ control over the instrumentalities of their crimes (the Target Devices), including by preventing the hackers from easily re-infecting the Target Devices.”

The affidavit said elsewhere that the prevention measures would be neutralized if the routers were restarted. These devices would then be once again vulnerable to infection.

Redactions in the affidavit make the precise means used to prevent re-infections unclear. Portions that weren’t censored, however, indicated the technique involved a loop-back mechanism that prevented the devices from communicating with anyone trying to hack them.

Portions of the affidavit explained:

22. To effect these seizures, the FBI will simultaneously issue commands that will interfere with the hackers’ control over the instrumentalities of their crimes (the Target Devices), including by preventing the hackers from easily re-infecting the Target Devices with KV Botnet malware.

a. When the FBI deletes the KV Botnet malware from the Target Devices [redacted. To seize the Target Devices and interfere with the hackers’ control over them, the FBI [redacted]. This [redacted] will have no effect except to protect the Target Device from reinfection by the KV Botnet [redacted] The effect of can be undone by restarting the Target Device [redacted] make the Target Device vulnerable to re-infection.

b. [redacted] the FBI will seize each such Target Device by causing the malware on it to communicate with only itself. This method of seizure will interfere with the ability of the hackers to control these Target Devices. This communications loopback will, like the malware itself, not survive a restart of a Target Device.

c. To seize Target Devices, the FBI will [redacted] block incoming traffic [redacted] used exclusively by the KV Botnet malware on Target Devices, to block outbound traffic to [redacted] the Target Devices’ parent and command-and-control nodes, and to allow a Target Device to communicate with itself [redacted] are not normally used by the router, and so the router’s legitimate functionality is not affected. The effect of [redacted] to prevent other parts of the botnet from contacting the victim router, undoing the FBI’s commands, and reconnecting it to the botnet. The effect of these commands is undone by restarting the Target Devices.

23. To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process. This command will also stop the Target Device from operating as a VPN node, thereby preventing the hackers from further accessing Target Devices through any established VPN tunnel. This command will not affect the Target Device if the VPN process is not running, and will not otherwise affect the Target Device, including any legitimate VPN process installed by the owner of the Target Device.

Chinese malware removed from SOHO routers after FBI issues covert commands Read More »

eBay hit with $3M fine, admits to “terrorizing innocent people”

eBay, fbi, harassment, intimidation, Policy, stalking / Ryan Harris / January 12, 2024

“Never-ending nightmare” —

eBay must pay maximum fine for putting Massachusetts couple “through pure hell.”

Ashley Belanger – Jan 12, 2024 5: 00 pm UTC

eBay has agreed to pay $3 million—the maximum criminal penalty possible—after employees harassed, intimidated, and stalked a Massachusetts couple in retaliation for their critical reporting of the online marketplace in 2019.

“Today’s settlement holds eBay criminally and financially responsible for emotionally, psychologically, and physically terrorizing the publishers of an online newsletter out of fear that bad publicity would adversely impact their Fortune 500 company,” Jodi Cohen, the special agent in charge of the Federal Bureau of Investigation Boston Division, said in a Justice Department press release Thursday.

eBay’s harassment campaign against the couple, David and Ina Steiner, stretched for 18 days in August 2019 and was led by the company’s former senior director of safety and security, Jim Baugh. It started when then-CEO Devin Wenig and then-chief communications officer Steven Wymer decided to “take down” the Steiners after growing frustrated with their coverage of eBay in a newsletter called EcommerceBytes.

Executing the “take down,” Baugh and six co-conspirators “put the victims through pure hell,” acting US attorney Joshua S. Levy wrote in the DOJ’s press release.

The former eBay employees turned the Steiners’ world “upside-down through a never-ending nightmare of menacing and criminal acts,” Levy said. That included “sending anonymous and disturbing deliveries,” such as “a book on surviving the death of a spouse, a bloody pig mask, a fetal pig and a funeral wreath and live insects,” the DOJ said. The intimidation also included publishing a series of “Craigslist posts inviting the public for sexual encounters at the victims’ home.”

But the intimidation did not stop there. After sending tweets and DMs threatening to visit the couple’s home, former eBay employees escalated the criminal activity by traveling to Massachusetts and installing a GPS tracker on the Steiners’ car. Spotting their stalkers, the Steiners called local police, who coordinated with the FBI to investigate what Levy called an “unprecedented stalking campaign” fueled by eBay’s toxic corporate culture.

Once police got involved, the former eBay employees tried to cover their tracks. Baugh and his team falsified records and deleted evidence to throw the cops “off the trail,” the DOJ said. Baugh was also caught making false statements to police and internal investigators and subsequently became the first eBay employee involved who was imprisoned in 2022 for “terrorizing innocent people,” Levy said.

In a press release, eBay confirmed that the company admitted to all the relevant facts that law enforcement uncovered in the case.

“The company’s conduct in 2019 was wrong and reprehensible,” said Jamie Iannone, eBay’s CEO. “From the moment eBay first learned of the 2019 events, eBay cooperated fully and extensively with law enforcement authorities. We continue to extend our deepest apologies to the Steiners for what they endured.”

Cohen acknowledged that the settlement “cannot erase the significant distress this couple suffered” but said that the DOJ hopes slapping eBay with the maximum fine “will deter others from engaging in similar conduct.”

“No one should ever feel unsafe in their own home,” Cohen said.

Ars could not immediately reach the Steiners’ lawyer for comment on the settlement.

Under eBay’s agreement with the DOJ, eBay must “retain an independent corporate compliance monitor” to ensure the company’s corporate culture never pushes employees to engage in such criminal conduct again.

All seven former eBay employees have been convicted on felony charges, the DOJ said. As the “ringleader,” Baugh was sentenced to 57 months in federal prison. Others have received prison sentences between 12 and 24 months. Two former employees were sentenced to a year of home confinement. One co-conspirator has pleaded guilty and is still awaiting sentencing.

In the end, the DOJ said that “eBay was charged criminally with two counts of stalking through interstate travel, two counts of stalking through electronic communications services, one count of witness tampering, and one count of obstruction of justice, and has entered into a deferred prosecution agreement.”

Through the deferred prosecution agreement, eBay must remain compliant and fully cooperate with the DOJ’s terms for three years. If that process is successful, the US attorney will “dismiss the criminal information against eBay.”

The DOJ announced criminal penalties during Stalking Awareness Month, when advocates work to raise awareness that stalking is a serious crime.

After taking responsibility for the misconduct of its former employee, eBay seems ready to put the harassment campaign in its past.

“Since these events occurred, new leaders have joined the company and eBay has strengthened its policies, procedures, controls and training,” eBay said. “eBay remains committed to upholding high standards of conduct and ethics and to making things right with the Steiners.”

eBay hit with $3M fine, admits to “terrorizing innocent people” Read More »

AlphV ransomware site is “seized” by the FBI. Then it’s “unseized.” And so on.

alphv, Biz & IT, fbi, ransomware, Security, tor / Mike M. / December 20, 2023

DUELING SEIZURES —

In a bizarre twist, both groups issue dueling notices to ransomware website.

Dan Goodin – Dec 20, 2023 9: 08 pm UTC

Enlarge / Shortly after the FBI posted a notice saying it had seized the dark-web site of AlphV, the ransomware group posted this notice claiming otherwise.

The FBI spent much of Tuesday locked in an online tug-of-war with one of the Internet’s most aggressive ransomware groups after taking control of infrastructure the group has used to generate more than $300 million in illicit payments to date.

Early Tuesday morning, the dark-web site belonging to AlphV, a ransomware group that also goes by the name BlackCat, suddenly started displaying a banner that said it had been seized by the FBI as part of a coordinated law enforcement action. Gone was all the content AlphV had posted to the site previously.

Around the same time, the Justice Department said it had disrupted AlphV’s operations by releasing a software tool that would allow roughly 500 AlphV victims to restore their systems and data. In all, Justice Department officials said, AlphV had extorted roughly $300 million from 1,000 victims.

An affidavit unsealed in a Florida federal court, meanwhile, revealed that the disruption involved FBI agents obtaining 946 private keys used to host victim communication sites. The legal document said the keys were obtained with the help of a confidential human source who had “responded to an advertisement posted to a publicly accessible online forum soliciting applicants for Blackcat affiliate positions.”

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” Deputy Attorney General Lisa O. Monaco said in Tuesday’s announcement. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”

Within hours, the FBI seizure notice displayed on the AlphV dark-web site was gone. In its place was a new notice proclaiming: “This website has been unseized.” The new notice, written by AlphV officials, downplayed the significance of the FBI’s action. While not disputing the decryptor tool worked for 400 victims, AlphV officials said that the disruption would prevent data belonging to another 3,000 victims from being decrypted.

“Now because of them, more than 3,000 companies will never receive their keys.”

As the hours went on, the FBI and AlphV sparred over control of the dark-web site, with each replacing the notices of the other.

One researcher described the ongoing struggle as a “tug of Tor,” a reference to Tor, the network of servers that allows people to browse and publish websites anonymously. Like most ransomware groups, AlphV hosts its sites over Tor. Not only does this arrangement prevent law enforcement investigators from identifying group members, it also hampers investigators from obtaining court orders compelling the web host to turn over control of the site.

The only way to control a Tor address is with possession of a dedicated private encryption key. Once the FBI obtained it, investigators were able to publish Tuesday’s seizure notice to it. Since AlphV also maintained possession of the key, group members were similarly free to post their own content. Since Tor makes it impossible to change the private key corresponding to an address, neither side has been able to lock the other out.

With each side essentially deadlocked, AlphV has resorted to removing some of the restrictions it previously placed on affiliates. Under the common ransomware-as-a-service model, affiliates are the ones who actually hack victims. When successful, the affiliates use the AlphV ransomware and infrastructure to encrypt data and then negotiate and facilitate a payment by bitcoin or another cryptocurrency.

Up to now, AlphV placed rules on affiliates forbidding them from targeting hospitals and critical infrastructure. Now, those rules no longer apply unless the victim is located in the Commonwealth of Independent States—a list of countries that were once part of the former Soviet Union.

“Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS, you can now block hospitals, nuclear power plants, anything, anywhere,” the AlphV notice said. The notice said that AlphV was also allowing affiliates to retain 90 percent of any ransom payments they get, and that ‘VIP’ affiliates would receive a private program on separate isolated data centers. The move is likely an attempt to stanch the possible defection by affiliates spooked by the FBI’s access to the AlphV infrastructure.

The back and forth has prompted some to say that the disruption failed, since AlphV retains control of its site and continues to possess the data it stole from victims. In a discussion on social media with one such critic, ransomware expert Allan Liska pushed back.

“The server and all of its data is still in possession of FBI—and ALPHV ain’t getting none of that back,” Liska, a threat researcher at security firm Recorded Future, wrote.

Enlarge / Social media post by Liska arguing the FBI maintains access to AlphV infrastructure.

“But, hey you are correct and I am 100% wrong. I encourage you, and all ransomware groups to sign up to be an ALPHV affiliate now, it is definitely safe. Do it, Chicken!”

AlphV ransomware site is “seized” by the FBI. Then it’s “unseized.” And so on. Read More »