Using a confidential informant and a self-developed decryption tool, law enforcement agencies have disrupted the notorious Alphv/BlackCat ransomware gang.
In a press release Tuesday, the Department of Justice announced a coordinated takedown of BlackCat operations led by the FBI with involvement from Europol and authorities from Germany, Denmark, Australia, Spain, the United Kingdom, Austria and Switzerland. During the disruption campaign, the FBI developed a decryption tool to help affected victims and, aided by an informant, seized several BlackCat-operated websites.
"Over the past 18 months, ALPHV/Blackcat has emerged as the second most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world," the Justice Department wrote in the press release. "Due to the global scale of these crimes, multiple foreign law enforcement agencies are conducting parallel investigations."
Victims range from government entities and healthcare organizations to schools, defense industrial base companies and critical manufacturing facilities. Two of the gang's more recent victims include MGM Resorts and Henry Schein, a healthcare organization that suffered two BlackCat attacks in just one month.
To seize the websites, the FBI engaged an informant, or "confidential human source," who applied to be a BlackCat affiliate by answering several technical proficiency questions, according to a search warrant unsealed Tuesday. Once the informant was accepted as an affiliate and gained privileged access to the group's website, the credentials were handed over to the FBI.
The search warrant, filed to the Southern District of Florida on Dec. 11, revealed what the FBI discovered using the privileged access.
"During this investigation, law enforcement gained visibility into the Blackcat Ransomware Group's network. As a result, the FBI identified and collected 946 public/private key pairs for Tor sites that the Blackcat Ransomware Group used to host victim communication sites, leak sites, and affiliate panels," the FBI wrote in the search warrant.
Like other ransomware-as-a-service gangs, BlackCat operates a public leak site used to pressure victims into paying a ransom. The site is also used for ransomware negotiations. However, the access granted from the informant provided the FBI with even more insight into the group's operations. The FBI discovered that BlackCat used Tor-based web panels where affiliates and developers planned attacks shrouded in secrecy. They used the panels to manage attacks, tracking everything from ransomware deployment and negotiations to the decryption of victims' data.
"From the Campaigns screen, affiliates can see the victim entity, full ransom price demanded, discount ransom price, expiration date, cryptocurrency addresses, cryptocurrency transactions, type of computer system compromised, ransom demand note, chats with the victim, and more," the warrant read. "These features allow affiliates to engage the victim throughout the entire negotiation process."
In addition to seizing BlackCat-operated websites, the FBI revealed that it also developed a decryption tool to help BlackCat victims recover from attacks without paying a ransom. The tool was offered to more than 500 affected victims globally, and the FBI said it's worked with dozens of U.S. and international victims so far.
The Justice Department estimated that the decryption tool has saved victims $68 million in ransom demand payments. In a statement in the press release, Deputy Attorney General Lisa Monaco said the tool was used to bring businesses, schools, and healthcare and emergency services back online.
The FBI is offering a reward for information on BlackCat and its affiliates.
In a series of posts on X, formerly known as Twitter, on Tuesday, VX-Underground revealed that BlackCat had already created another website in response to the FBI takedown. The cybersecurity research collective, which claimed to be in communication with the gang's operators, also outlined a timeline. It showed BlackCat's primary domain was taken offline on Dec. 10, but the administrator attributed it to a hardware failure. Rumors of law enforcement action began circulating the same day, but the operators denied the allegations.
During communications with VX-Underground Tuesday, BlackCat claimed that the site taken down by the FBI was an old domain.
"ALPHV has ... unseized their domain? They claim the FBI compromised one of their domain controllers. Additionally, they state they are removing all rules from their affiliate program (omit the rule on targetting the CIS) - allowing affiliates to target critical infrastructure," VX-Underground wrote on X.
Alexander Leslie, threat researcher at Recorded Future, said the effectiveness of the takedown remains to be seen. While he believes it will significantly disrupt BlackCat's administration and operations in the short term, there are multiple factors to consider for any lasting results.
For one, he highlighted BlackCat's claims that it is continuing operations and has "unseized" its primary blog from law enforcement. Now, the site redirects visitors to a new blog. On the other hand, Leslie said the disruption campaign could have a significant effect on BlackCat's credibility since its long-term stability is dependent on retaining affiliates. Being infiltrated by an informant and taken down by government action will likely affect the gang's reputation, which Leslie said could be difficult to recover from.
The group might respond by offering affiliates financial incentives or by implementing new rules related to negotiations and payment discounts. Other actions might include the targeting of more critical entities that could be more compelled to pay, Leslie added.
"But if law enforcement is able to effectively distribute decryption tools to future victims and continues to maintain visibility into the group's operations, these consequences may never be seen. I don't think it's unrealistic to predict that Alphv might undergo a voluntary shutdown, rebranding or splintering as a result of this law enforcement action," Leslie said.
Jon DiMaggio, chief security strategist at threat intelligence vendor Analyst1, agreed that Tuesday's takedown effort was very effective. He also acknowledged its effect on the group's reputation, saying if affiliates are afraid to trust BlackCat and its infrastructure, they won't work for them. A lack of affiliates would affect the group's ability to conduct attacks, he added.
"Even though the group has already stood up other infrastructure, the read I get from the underground forums frequented by ransomware actors and affiliates is that they are concerned BlackCat is compromised, which will certainly affect the program," DiMaggio said.
This month's BlackCat server takedown is the latest in government actions to quell ransomware as the number of attacks continues to mount. In late November, Europol announced that a coordinated effort led to the arrest of an alleged ransomware gang leader and four accomplices. The affiliate group had been active since 2018 and leveraged LockerGoga, MegaCortex, Hive and Dharma ransomware strains. The suspects were allegedly responsible for causing $82 million in losses for victim organizations.
TechTarget Editorial contacted the FBI for additional information, but a spokesperson said they had no further comment.
Arielle Waldman is a Boston-based reporter covering enterprise security news.