Recruiting affiliates and developers from the troubled BlackCat/ALPHV and NoEscape ransomware operations is one of the calculated steps being taken by the LockBit ransomware group. An ideal opportunity emerged for LockBit to expand its network due to the recent disruptions and exit scams within NoEscape and BlackCat/ALPHV.
Affiliates of NoEscape and BlackCat/ALPHV Tor organisations are in disarray due to the sudden inaccessibility of their websites, as well as reports of escape scams and ransom payments being stolen. While the exact reason of the disruptions is unknown, speculations include hardware malfunctions, internal issues, and law enforcement intervention.
LockBitSupp, the manager of LockBit, has actively recruited affiliates on Russian-speaking hacking forums in response to the chaos surrounding BlackCat and NoEscape. LockBitSupp makes a tempting offer, stating that affiliates who have copies of stolen data can use LockBit's bargaining panel and data leak website to keep blackmailing victims.
Additionally, LockBitSupp is trying to hire the coder who created the ALPHV encryptor. Although LockBit's relationship to the troubled ransomware gangs is still unknown, there have been reports of a victim who was BlackCat's previous target now showing up on LockBit's data leak website.
The change emphasises how groups dealing with ransomware experience disruptions, rebranding, and sometimes even changing affiliations. The ransomware ecosystem continues to evolve, and outfits such as LockBit, by taking advantage of other people's vulnerabilities and interruptions, demonstrate the flexibility and intelligence that these nefarious activities possess.
In the always changing threat landscape, this particular situation may lead to additional rebranding and restructuring as it calls into doubt the reliability of ransomware groups such as BlackCat and NoEscape.