FBI Seizes BlackCat Infrastructure – ALPHV Responds by Removing Restrictions for Affiliates

An international law enforcement operation has successfully disrupted the APHV/Blackcat ransomware operation. The Federal Bureau of Investigation (FBI) was able to gain access to the ransomware group’s servers and obtain decryption keys, which allowed the FBI to develop a decryption tool to help victims recover their files without paying the ransom. According to an announcement by the U.S. Department of Justice, the FBI was able to help approximately 500 victims recover their files, saving almost $68 million in ransom payments. The FBI seized the domain for the group’s data leak site, which displays a banner stating the website has been seized as part of an international law enforcement operation.

According to the FBI, the ALPHV/BlackCat ransomware group surfaced in November 2021, and as of September 2023, has conducted more than 1,000 ransomware attacks worldwide, three-quarters of which were in the United States, and has received more than $300 million in ransom payments. ALPHV/BlackCat is believed to be a rebrand of the BlackMatter ransomware group, which is thought to be a rebrand of DarkSide – the group behind the May 2021 ransomware attack on Colonial Pipeline. ALPHV/BlackCat is a ransomware-as-a-service operation, where affiliates are recruited to conduct attacks in exchange for a percentage of any ransom payments they generate. The group engages in double extortion tactics, where sensitive data is stolen before files are encrypted. Ransom payments prevent the publication of the stolen data and allow victims to obtain the keys to decrypt their data.

The FBI was able to gain access to the ALPHV backend affiliate portal through an affiliate of the group who had been provided with login credentials after an interview with the ransomware operator. The FBI was able to monitor the group’s activities for months and siphoned off decryption keys. The FBI said it obtained 946 private and public key pairs associated with the group’s Tor negotiation sites, data leak sites, and management panel, and they are stored on a USB flash drive in Florida. The key pairs allow the FBI to seize the .onion URLs used by the group; however, since ALPHV/BlackCat also has the key pairs, they are able to take back control.

On December 19, 2023, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory about the group, which provides updates to the FBI FLASH report on ALPHV/BlackCat that was released in April 2023. The latest cybersecurity advisory includes details of the Tactics, Techniques, and Procedures (TTPs) used by the group and Indicators of Compromise (IoCs) identified through FBI investigations as recently as December 6, 2023.

The ALPHV/BlackCat ransomware has responded to the DOJ announcement and website seizure. The group posted on its leak site that the website has been unseized and said the FBI was able to obtain the decryption keys for around 6 weeks of attacks – about 400 companies – but said that attacks had been conducted on more than 3,000 companies and that as a result of the law enforcement operation, those victims will never be able to recover their data.

The post also states that because of the law enforcement operation, all but one of the restrictions on victims have been removed. Affiliates are permitted to attack any target, including hospitals, nuclear power plants, and more. The only restriction that still applies is affiliates are prohibited from attacking any target in the Commonwealth of Independent States. The group also said it will be stopping offering discounts on ransom demands, will no longer provide time extensions for victims, and said patient data will no longer be removed from the leaked data. The group also said it would learn from its mistakes and would work even harder in the future.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news