U.S. authorities have confirmed the disruption of the AlphV/BlackCat ransomware gang, including the seizure of several of the group’s data leak and communications sites and the publication of a decrypter that victim organizations can use to get access back to scrambled data.
The announcement comes after over a week of silence on the gang’s data leak site, leading to speculation that action against the prolific gang had taken place.
“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” U.S. Deputy Attorney General Lisa Monaco said in a statement. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”
The decryption tool has been offered to 400 victims of the gang.
However, not long after the FBI announcement, one of the supposedly seized sites had a new message in Russian saying a new gang site had been set up. The translation says, “As you all know, the FBI received the keys to our blog, now we will tell you how it all happened.” It claims that while law enforcement knows of and can help 400 companies decrypt their scrambled data, more than 3,000 other victims can’t be helped.
Because of police action, the site says, the gang has removed all of its rules limiting the actions of affiliates. That means, the post says, there’s nothing stopping ransomware attacks on hospitals, nuclear power stations and other sensitive organizations.
The authenticity of the message couldn’t be verified by IT World Canada.
The international law enforcement action also involved Germany’s Bundeskriminalamt and Zentrale Kriminalinspektion Göttingen, Denmark’s Special Crime Unit, and the Europol police co-operative. The U.S. said several other groups provided substantial assistance and support, including the Australian Federal Police, the United Kingdom’s National Crime Agency and Eastern Region Special Operations Unit, Spain’s Policia Nacional, Switzerland’s Kantonspolizei Thurgau, and Austria’s Directorate State Protection and Intelligence Service.
The FBI says that over the past 18 months, AlphV/BlackCat became the second most prolific ransomware-as-a-service variant in the world, based on the hundreds of millions of dollars in ransoms paid by victims. Among the latest hit was the MGM Resort Las Vegas. After that hit, the gang said patrons shouldn’t blame it for losing money on reservations because closing the hotel and casino was management’s decision.
This interagency and multijurisdictional law enforcement operation “crowns a historical record of ransomware takedowns conducted in 2023,” commented Ilia Kolochenko, CEO of ImmuniWeb. “It is an excellent example of how well co-ordinated co-operation between the E.U., U.K. and U.S. authorities, with support from transnational agencies such as Europol, brings efficient results and slows down the surging pandemic of ransomware and interrelated hacking campaigns.
“Having said that, disruption of cybercrime’s infrastructure and selective arrests of identifiable cyber gang members is rarely sufficient. For example, a considerable number of seized hacking forums or marketplaces resurrected a few weeks after the seizure under a similar or new identity. Amid the global geopolitical uncertainty, many cybercrime groups safely operate from non-extraditable jurisdictions in absolute impunity.”
Unless nation-states manage to hammer out a truly global convention against cybercrime that would be ratified by all U.N. member states, he warned, the battle against organized cybercrime will be like fighting an immortal hydra.
That warning comes as nations are set for a final negotiating session at the end of January on a proposed international cybercrime treaty. Last week, the Cybersecurity Tech Accord, a group of leading IT companies including Microsoft, Cisco Systems, and Oracle complained that the latest draft “would significantly weaken cybersecurity, erode data privacy, and undermine online rights and freedoms across the world.”
This is a win for law enforcement, and almost certainly marks the end of AlphV as a brand, said Brett Callow, a Canadian-based threat researcher for Emsisoft. “Nobody will want to do business with an operation that has been compromised. In fact, their business associates and affiliates will already be wondering what information law enforcement obtained and whether any of it points to them – which isn’t at all unlikely.
“Unfortunately, the individuals behind AlphV are unlikely to be out of the ransomware game for good. They’ll probably spin up a new operation with a new name. But, even if they do, this is still a big win for good guys and a big loss for the bad guys.”
A search warrant used to support FBI action against AlphV/BlackCat says the agency relied in part on a confidential human source “who routinely provides reliable information related to ongoing cybercrime investigations.”
The source had answered a public advertisement the ransomware gang had posted for potential affiliates. After passing an interview, the source was given access credentials for the BlackCat’s affiliate system using a unique .onion address.
Sites seized by law enforcement were hidden on the Tor network. But through its investigation and the source, the FBI was able to collect 946 public/private key pairs for Tor sites that the ransomware gang used to host victim communication sites, leak sites, and affiliate panels.
