U.S. law enforcement agencies said they shut down the online operations of the notorious Russia-linked BlackCat ransomware-as-a-service group and developed a decryption tool that will help more than 500 victims regain access to their encrypted data files.
The operation by the FBI and Justice Department against BlackCat is the latest in a series of initiatives by the U.S. government designed to stem the growing tide of ransomware and other attacks by shutting down the threat groups' operations.
In January, the DOJ announced it had penetrated the servers of the Hive ransomware group and offered decryption keys to victims.
The DOJ and FBI said in August that it took down the infrastructure of the QakBot phishing group.
Despite the operation, QakBot's tactics are still being used by such groups as DarkGate and PikaBot.
All this comes as ransomware groups continue to roll up targets.
According to Statista, almost 73% of companies worldwide have been victims of ransomware attacks this year, a steady increase from 62.4% in 2020.
According to the DOJ, the BlackCat group since late 2021 has racked up more than 1,000 victims - including critical infrastructure entities, schools, financial firms, and healthcare organizations - and over the last 18 months had become the second most prolific RaaS operation in the world, collecting hundreds of millions of dollars in paid ransoms.
Given the group's reach, the DOJ said law enforcement agencies in other countries are running investigations parallel to the one in the United States.
Cybersecurity expert Brian Krebs noted that BlackCat was formed by recruiting former members of high-profile competing or disbanded ransomware groups, including REvil, BlackMatter, and DarkSide, which was being the massive attack on software maker SolarWinds in 2020.
BlackCat runs double-extortion attacks, stealing victims' data before encrypting the files and threatening to leak the stolen data if the ransom isn't paid, with ransoms being paid in cryptocurrency.
According to a search warrant application by the FBI, the threat group runs a primary leak site and multiple other addresses on the Tor network.
The source had answered an ad for BlackCat affiliates and interviewed with a member of BlackCat, who subsequently gave them credentials for the panels.
Despite the investigation and the DOJ's seizure of its online operation, the BlackCat members are fighting back.
As noted by Krebs, people on Tuesday who went to BlackCat's leak site were greeted by a notice that the website had been seized, complete with the emblems of the FBI and DOJ topped by Santa hats.
The group said the DOJ was able to gain control of one of its data centers, but added that there are more still operating.
While opening up hospitals and nuclear power plants for attacks by affiliates, the group stipulated that the ban on attacks on CIS members was still in place.
The DOJ's announcement this week came after reports surfaced earlier this month that BlackCat's dark web site went dark, setting off speculation that law enforcement agencies had shut it down.
It came back online a few days later, with the threat group claiming the blackout was due to a hardware failure, though the vx-underground cybersecurity group at the time said on X that the claim was doubtful.
Vx-underground also showed that law enforcement actions like the one against BlackCat get the attention of other ransomware operators.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 20 Dec 2023 14:43:04 +0000