FBI disrupts BlackCat ransomware operation, unveils decryption tool

The ransomware group claims FBI only obtained decryption keys for the last month and a half

clock • 3 min read
FBI disrupts BlackCat ransomware operation
Image:

FBI disrupts BlackCat ransomware operation

In a major victory against cybercrime, the US Federal Bureau of Investigation (FBI) announced on Tuesday the successful disruption of the notorious BlackCat ransomware operation, also known as ALPHV.

The operation, carried out in collaboration with international law enforcement agencies, not only dismantled the ransomware infrastructure but also provided a decryption tool that allowed 500 victims to recover their files without paying an estimated $68 million in ransom demands.

ALPHV/BlackCat, responsible for infiltrating the computer networks of over 1,000 victims worldwide, has been a significant global threat, affecting critical infrastructure and demanding hundreds of millions of dollars in ransom payments.

Over the past 18 months, BlackCat had become the second most prolific ransomware-as-a-service variant globally, with victims spanning multiple countries.

On 7th December, BlackCat's websites abruptly ceased to function, leaving the ransomware gang's Tor negotiation and data leak sites inaccessible.

According to the US Department of Justice, the FBI gained access to the group's infrastructure, enabling them to monitor the ransomware operation silently for months.

During this period, the FBI collected 946 public/private key pairs for Tor sites used by the BlackCat, including victim communication sites and data leak sites.

As a result, the FBI was able to create a decryption tool that helped 500 victims recover their files for free, dealing a significant blow to the criminal enterprise. Additionally, the FBI seized control of the domain for ALPHV's data leak site.

The coordinated international effort involved law enforcement agencies from the United States, Europol, Denmark, Germany, the UK, the Netherlands, Australia, Spain and Austria.

BlackCat operates using a ransomware-as-a-service model, with developers responsible for creating and updating the ransomware, and maintaining the illicit internet infrastructure. Affiliates, on the other hand, identify and target high-value institutions for the ransomware attacks. The group employs a multiple-extortion model, exfiltrating sensitive data before encrypting a victim's system. The stolen data is then used as leverage to extract larger ransoms.

BlackCat actors publish stolen data on a dark web leak site when victims refuse to pay the ransom.

On Tuesday afternoon, the ransomware gang alleged the FBI had gained access to a datacentre hosting its servers.

Claiming that the FBI only obtained decryption keys for the last month and a half, affecting approximately 400 companies, the gang asserted that an additional 3,000 victims would lose their keys due to the law enforcement action.

"Because of their actions, we are introducing new rules, or rather removing ALL the rules except one, you can not touch the CIS, you can now block hospitals, nuclear power plants, anything and anywhere," it said.

Commenting on FBI's action, Michael McPherson, SVP Technical Operations ReliaQuest (and former FBI special agent), said: "The law enforcement action announced today serves as a body-blow to the ransomware ecosystem but it is by no means a knockout punch.

However, he said it is "significant" that 500 victims had apparently been aided by the FBI's decryption tool, as part of the US authorities' "hack-the-hacker" approach.

"The ability for the FBI to do this undermines the credibility and capability of cyber-criminal organisations and bolster's the FBI's plea for victims to report potential compromises as soon as possible," McPherson said, adding that a move by extortionists to adopt other ransomware strains can be expected.

"The removal of ALPHV from the ransomware landscape will undoubtedly leave a temporary void, before members flock to other groups. This is unfortunately a common outcome following law enforcement operation, reflecting the ongoing game of whac-a-mole in law enforcement attempting to provide a meaningful impact against this pernicious form of cybercrime."

You may also like
UK teen arrested for alleged role in MGM Resorts cyberattack

Hacking

The suspect was released on bail as investigations continue

clock 21 July 2024 • 2 min read
AT&T data breach exposes call records of 'nearly all' wireless customers

Hacking

Stolen data isn't publicly available yet, the company claims

clock 14 July 2024 • 3 min read
Hackers apologise after crippling Indonesia's datacentres

Hacking

Group says it carried out a penetration test 'with post-payment'

clock 05 July 2024 • 2 min read

More on Hacking

UK teen arrested for alleged role in MGM Resorts cyberattack

UK teen arrested for alleged role in MGM Resorts cyberattack

The suspect was released on bail as investigations continue

clock 21 July 2024 • 2 min read
Disney faces potential data breach, hacker group claims massive leak

Disney faces potential data breach, hacker group claims massive leak

NullBulge says motive is to expose potential corporate malpractices

clock 15 July 2024 • 2 min read
AT&T data breach exposes call records of 'nearly all' wireless customers

AT&T data breach exposes call records of 'nearly all' wireless customers

Stolen data isn't publicly available yet, the company claims

clock 14 July 2024 • 3 min read