FBI disrupts BlackCat ransomware operation, unveils decryption tool

The ransomware group claims FBI only obtained decryption keys for the last month and a half

clock • 3 min read
FBI disrupts BlackCat ransomware operation

FBI disrupts BlackCat ransomware operation

In a major victory against cybercrime, the US Federal Bureau of Investigation (FBI) announced on Tuesday the successful disruption of the notorious BlackCat ransomware operation, also known as ALPHV.

The operation, carried out in collaboration with international law enforcement agencies, not only dismantled the ransomware infrastructure but also provided a decryption tool that allowed 500 victims to recover their files without paying an estimated $68 million in ransom demands.

ALPHV/BlackCat, responsible for infiltrating the computer networks of over 1,000 victims worldwide, has been a significant global threat, affecting critical infrastructure and demanding hundreds of millions of dollars in ransom payments.

Over the past 18 months, BlackCat had become the second most prolific ransomware-as-a-service variant globally, with victims spanning multiple countries.

On 7th December, BlackCat's websites abruptly ceased to function, leaving the ransomware gang's Tor negotiation and data leak sites inaccessible.

According to the US Department of Justice, the FBI gained access to the group's infrastructure, enabling them to monitor the ransomware operation silently for months.

During this period, the FBI collected 946 public/private key pairs for Tor sites used by the BlackCat, including victim communication sites and data leak sites.

As a result, the FBI was able to create a decryption tool that helped 500 victims recover their files for free, dealing a significant blow to the criminal enterprise. Additionally, the FBI seized control of the domain for ALPHV's data leak site.

The coordinated international effort involved law enforcement agencies from the United States, Europol, Denmark, Germany, the UK, the Netherlands, Australia, Spain and Austria.

BlackCat operates using a ransomware-as-a-service model, with developers responsible for creating and updating the ransomware, and maintaining the illicit internet infrastructure. Affiliates, on the other hand, identify and target high-value institutions for the ransomware attacks. The group employs a multiple-extortion model, exfiltrating sensitive data before encrypting a victim's system. The stolen data is then used as leverage to extract larger ransoms.

BlackCat actors publish stolen data on a dark web leak site when victims refuse to pay the ransom.

On Tuesday afternoon, the ransomware gang alleged the FBI had gained access to a datacentre hosting its servers.

Claiming that the FBI only obtained decryption keys for the last month and a half, affecting approximately 400 companies, the gang asserted that an additional 3,000 victims would lose their keys due to the law enforcement action.

"Because of their actions, we are introducing new rules, or rather removing ALL the rules except one, you can not touch the CIS, you can now block hospitals, nuclear power plants, anything and anywhere," it said.

Commenting on FBI's action, Michael McPherson, SVP Technical Operations ReliaQuest (and former FBI special agent), said: "The law enforcement action announced today serves as a body-blow to the ransomware ecosystem but it is by no means a knockout punch.

However, he said it is "significant" that 500 victims had apparently been aided by the FBI's decryption tool, as part of the US authorities' "hack-the-hacker" approach.

"The ability for the FBI to do this undermines the credibility and capability of cyber-criminal organisations and bolster's the FBI's plea for victims to report potential compromises as soon as possible," McPherson said, adding that a move by extortionists to adopt other ransomware strains can be expected.

"The removal of ALPHV from the ransomware landscape will undoubtedly leave a temporary void, before members flock to other groups. This is unfortunately a common outcome following law enforcement operation, reflecting the ongoing game of whac-a-mole in law enforcement attempting to provide a meaningful impact against this pernicious form of cybercrime."

You may also like
Operation Cronos: NCA reveals details of LockBit affiliates

Threats and Risks

Operation has been crippled - for now

clock 22 February 2024 • 3 min read
US charges two Russian nationals in LockBit ransomware case amid global crackdown


The indictments coincide with a significant takedown of LockBit in a joint operation by US, UK, and other international law enforcement agencies

clock 21 February 2024 • 3 min read
Law enforcement takes down LockBit - updated


NCA among the groups under 'Operation Cronos'

clock 20 February 2024 • 2 min read

More on Hacking

Cambridge University hit by DDoS attack

Cambridge University hit by DDoS attack

Anonyous Sudan claims it also hit the University of Manchester

John Leonard
clock 20 February 2024 • 1 min read
Cloudflare's estate breached by suspected state-sponsored threat actors

Cloudflare's estate breached by suspected state-sponsored threat actors

The attackers exploited unrotated access token and service account credentials obtained from an Okta breach in October

clock 05 February 2024 • 2 min read
FBI shuts down Volt Typhoon botnet

FBI shuts down Volt Typhoon botnet

Agency infliltrated and harvested data in advance of stopping attack

Muskan Arora
clock 01 February 2024 • 2 min read