{
	"id": "4708ff0d-8b3e-4988-95ff-6b055907164a",
	"created_at": "2026-04-06T00:12:57.107031Z",
	"updated_at": "2026-04-10T03:29:39.794022Z",
	"deleted_at": null,
	"sha1_hash": "ed106fd7579c1bdddd10817c8cf779a4c91b064b",
	"title": "FBI: ALPHV ransomware raked in $300 million from over 1,000 victims",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3158193,
	"plain_text": "FBI: ALPHV ransomware raked in $300 million from over 1,000 victims\r\nBy Sergiu Gatlan\r\nPublished: 2023-12-19 · Archived: 2026-04-05 19:39:42 UTC\r\nThe ALPHV/BlackCat ransomware gang has made over $300 million in ransom payments from more than 1,000 victims\r\nworldwide as of September 2023, according to the Federal Bureau of Investigation (FBI).\r\n\"ALPHV Blackcat affiliates have extensive networks and experience with ransomware and data extortion operations,\" the\r\nFBI says.\r\n\"According to the FBI, as of September 2023, ALPHV Blackcat affiliates have compromised over 1000 entities—nearly 75\r\npercent of which are in the United States and approximately 250 outside the United States—, demanded over $500 million,\r\nand received nearly $300 million in ransom payments.\"\r\nhttps://www.bleepingcomputer.com/news/security/fbi-alphv-ransomware-raked-in-300-million-from-over-1-000-victims/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fbi-alphv-ransomware-raked-in-300-million-from-over-1-000-victims/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nIn the joint advisory published today in collaboration with CISA, the FBI also shared mitigation measures to help network\r\ndefenders and critical infrastructure organizations reduce the impact and risks associated with this ransomware group's\r\nattacks.\r\nThe two agencies also provided ALPHV IOCs (indicators of compromise) and TTPs (tactics, techniques, and procedures)\r\nidentified by the FBI as recently as December 6.\r\nNetwork defenders are strongly encouraged to prioritize patching vulnerabilities exploited in the wild and to enforce\r\nmultifactor authentication (MFA) with strong passwords across all services, especially for webmail, VPN, and accounts\r\nlinked to critical systems.\r\nFurthermore, they should regularly update and patch software to the latest versions and focus on vulnerability assessments\r\nas integral components of standard security protocols.\r\nBlackCat/ALPHV surfaced more than two years ago, in November 2021, and is suspected to be a rebrand of the notorious\r\nDarkSide and BlackMatter ransomware operation.\r\nOriginally known as DarkSide, this group gained worldwide notoriety following its attack on Colonial Pipeline, leading to\r\nextensive investigations by law enforcement agencies.\r\nThe FBI previously linked this ransomware gang to over 60 breaches impacting organizations worldwide in the first four\r\nmonths of activity, from November 2021 through March 2022.\r\nFBI disrupts Blackcat, develops decryption tool\r\nOn December 7, BleepingComputer first reported that ALPHV dark web sites, including the gang's Tor negotiation and data\r\nleak websites, suddenly stopped working.\r\nToday, the Department of Justice confirmed our reporting, saying that the FBI breached the ALPHV ransomware operation's\r\nservers, successfully monitoring their activities and obtaining decryption keys.\r\nTo access ALPHV's backend affiliate panel, the FBI engaged with a confidential human source (CHS) who was provided\r\nwith login credentials as an affiliate after an interview with the ransomware operators.\r\nALPHV BlackCat seizure banner (BleepingComputer)\r\nhttps://www.bleepingcomputer.com/news/security/fbi-alphv-ransomware-raked-in-300-million-from-over-1-000-victims/\r\nPage 3 of 4\n\nThe FBI silently monitored the ALPHV's operations for months while collecting decryption keys, which allowed them to\r\nhelp over 500 victims worldwide recover their files for free, saving around $68 million in ransom demands. However, it's\r\nunclear how the private decryption keys were obtained since they wouldn't have been available using an affiliate's backend\r\ncredentials.\r\nOne likely theory, although not yet confirmed, is that the FBI exploited vulnerabilities that allowed dumping the database or\r\ngaining further access to the ransomware gang's server.\r\nThe FBI also seized the domain for the ransomware operation's data leak site, adding a banner explaining that the seizure\r\nwas the result of an international law enforcement operation. However, hours later, ALPHV \"unseized\" their data leak site,\r\nclaiming that the FBI gained access to a data center hosting the gang's servers. ALPHV also claims in the message posted on\r\ntheir leak site that they've breached at least 3,400 victims.\r\nSince both ALPHV and the FBI currently have the data leak site's private keys, they can take control of the domain from\r\neach other.\r\nThis situation has been seen as an early holiday gift of sorts by other cybercrime groups, with the LockBit ransomware gang,\r\nfor instance, asking ALPHV affiliates to switch teams to continue negotiations with victims.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fbi-alphv-ransomware-raked-in-300-million-from-over-1-000-victims/\r\nhttps://www.bleepingcomputer.com/news/security/fbi-alphv-ransomware-raked-in-300-million-from-over-1-000-victims/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/fbi-alphv-ransomware-raked-in-300-million-from-over-1-000-victims/"
	],
	"report_names": [
		"fbi-alphv-ransomware-raked-in-300-million-from-over-1-000-victims"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434377,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed106fd7579c1bdddd10817c8cf779a4c91b064b.pdf",
		"text": "https://archive.orkl.eu/ed106fd7579c1bdddd10817c8cf779a4c91b064b.txt",
		"img": "https://archive.orkl.eu/ed106fd7579c1bdddd10817c8cf779a4c91b064b.jpg"
	}
}