An unsealed FBI search warrant revealed how law enforcement hijacked the ALPHV/BlackCat ransomware operations websites and seized the associated URLs.
Today, the US Department of Justice confirmed that they seized websites for the ALPHV ransomware operation and created a decryptor to help approximately 500 companies recover their data for free.
After being interviewed by the ransomware operators, the CHS was provided login credentials to the backend affiliate panel.
This panel is not public and is only meant to be used by the ransomware gang's operators and affiliates, allowing them to manage extortion campaigns and negotiate ransoms with a company.
Under a separate federal search warrant, the FBI accessed the ALPHV panel to determine how it operated.
Using this access, the FBI obtained the private decryption keys used in attacks and created a decryptor that has helped over 400 victims recover their files for free.
It is still unclear how they obtained those private decryption keys, as they would have been unavailable to an affiliate.
A theory is that the FBI used its internal access to find vulnerabilities that could be exploited to dump the database or gain further access to the server, but this is unconfirmed.
The FBI also states that they obtained 946 private and public key pairs associated with the ransomware operation's Tor negotiation sites, data leak sites, and management panel and saved them to a USB flash drive that is now stored in Florida.
Anyone possessing these private and public key pairs effectively controls the URL, allowing them to hijack them so they point to their own servers.
While the FBI has not shared how they gained access to these Tor key pairs, it is likely through the same access they used to retrieve the decryption keys for the victim's encrypted files.
The FBI says they confirmed that these Tor keys are associated with the ransomware operation's data leak site, affiliate panel, and unique Tor negotiation sites given to victims in ransom notes.
While BleepingComputer has only confirmed that the data leak sites and some negotiation sites were hijacked by law enforcement, possessing these Tor keys would allow the FBI to seize the affiliate panel as well.
This is the third known law enforcement operation where the FBI successfully breached a ransomware operation's infrastructure to quietly monitor activities and siphon decryption keys.
The first was REvil, where the FBI gained access to the master decryption key for the Kaseya supply chain attack, and the second was a breach of the Hive ransomware operation, where the FBI obtained over 1,300 decryption keys.
The FBI and international law enforcement have devised a tactic that works to breach and disrupt ransomware gangs' infrastructure, and we will likely see more actions like this in the future.
ALPHV ransomware site outage rumored to be caused by law enforcement.
FBI disrupts Blackcat ransomware operation, creates decryption tool.
LockBit ransomware now poaching BlackCat, NoEscape affiliates.
Norton Healthcare discloses data breach after May ransomware attack.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 19 Dec 2023 17:30:29 +0000