The U.S. Federal Bureau of Investigation disclosed today that it infiltrated the world's second most prolific ransomware gang, a Russia-based criminal group known as ALPHV and BlackCat.
The FBI said it seized the gang's darknet website, and released a decryption tool that hundreds of victim companies can use to recover systems.
A slightly modified version of the FBI seizure notice on the BlackCat darknet site.
Whispers of a possible law enforcement action against BlackCat came in the first week of December, after the ransomware group's darknet site went offline and remained unavailable for roughly five days.
BlackCat eventually managed to bring its site back online, blaming the outage on equipment malfunctions.
The BlackCat website was replaced with an FBI seizure notice, while federal prosecutors in Florida released a search warrant explaining how FBI agents were able to gain access to and disrupt the group's operations.
A statement on the operation from the U.S. Department of Justice says the FBI developed a decryption tool that allowed agency field offices and partners globally to offer more than 500 affected victims the ability to restore their systems.
The DOJ reports that since BlackCat's formation roughly 18 months ago, the crime group has targeted the computer networks of more than 1,000 victim organizations.
BlackCat attacks usually involve encryption and theft of data; if victims refuse to pay a ransom, the attackers typically publish the stolen data on a BlackCat-linked darknet site.
BlackCat formed by recruiting operators from several competing or disbanded ransomware organizations - including REvil, BlackMatter and DarkSide.
The latter group was responsible for the Colonial Pipeline attack in May 2021 that caused nationwide fuel shortages and price spikes.
Affiliates are incentivized to attack high-value targets because they generally reap 60-80 percent of any payouts, with the remainder going to the crooks running the ransomware operation.
BlackCat was able to briefly regain control over their darknet server today.
The message that was briefly on the homepage of the BlackCat ransomware group this morning.
BlackCat claimed that the FBI's operation only touched a portion of its operations, and that as a result of the FBI's actions an additional 3,000 victims will no longer have the option of receiving decryption keys.
The group also said it was formally removing any restrictions or discouragement against targeting hospitals or other critical infrastructure.
The crime group also said it was setting affiliate commissions at 90 percent, presumably to attract interest from potential affiliates who might otherwise be spooked by the FBI's recent infiltration.
BlackCat's darknet site currently displays the FBI seizure notice.
As BleepingComputer founder Lawrence Abrams explained on Mastodon, both the FBI and BlackCat have the private keys associated with the Tor hidden service URL for BlackCat's victim shaming and data leak site.
Further reading: CISA StopRansomware Alert on the tools, techniques and procedures used by ALPHV/BlackCat.
This Cyber News was published on krebsonsecurity.com. Publication date: Tue, 19 Dec 2023 22:55:06 +0000