The DOJ said it seized several websites operated by the group, “gained visibility into the BlackCat ransomware group’s computer network,” and developed a decryption tool to help victims recover their files. The FBI has shared that tool with hundreds of victimized organizations.
BlackCat — also known as ALPHV — has targeted more than 1,000 victims worldwide since emerging a year and a half ago, to become “the second most prolific ransomware-as-a-service variant in the world,” based on the size of the extortion it's reaped, per the DOJ.
U.S. victims include government entities, emergency services, health care and public health facilities, schools and others, per the DOJ. The group was allegedly behind an October 2023 attack on a Florida circuit court system, as well as 2022 attacks on a Colorado county, Colorado municipality and higher education institutions in Florida and North Carolina.
Now, the FBI has given its decryption tool to more than 500 victimized organizations worldwide, meaning “businesses and schools were able to reopen, and health care and emergency services were able to come back online,” said Deputy Attorney General Lisa Monaco in a statement.
The ransomware group is known for double extortion attacks, in which attackers both encrypt victims’ files and threaten to publish them.
BlackCat also operates under a ransomware-as-a-service model. That sees operators develop and maintain the ransomware malware and maintain the supporting Internet infrastructure. Affiliates, meanwhile, deploy the malware against victims and negotiate extortion payments.
Under this kind of model, affiliates typically keep 60 percent to 80 percent of victim extortion payouts, while providing the rest to the operator, per cybersecurity journalist Brian Krebs.
BlackCat temporarily regained access to its darknet server, allowing it to post a statement on its site in which it said it was retaliating. The gang said it would up so-called "advertisers" commissions to 90 percent and lift most of the rules limiting who could be targeted with the ransomware, per Krebs. Ransomware groups may sometimes prohibit going after certain critical targets, like governments and hospitals, to provoke less ire and less intense focus from law enforcement.
“Because of their actions, we are introducing new rules, or rather, We are removing ALL rules except one, you cannot touch the CIS [Commonwealth of Independent States]. You can now block hospitals, nuclear power plants, anything, anywhere,” BlackCat’s message states.
In a post on X, Recorded Future intelligence analyst Allan Liska expressed doubt that BlackCat had truly “unseized” its server.
“They didn't 'unseized' anything,” Liska wrote. “The way .onion addressing works is that, as long as you have the signing key, if you register a second server with that address the newest server will be believed by default. “
Emsisoft threat analyst Brett Callow also told the Washington Post BlackCat’s efforts to downplay the impact are “probably mostly just bluster at this point. Their operation has been compromised to an as-of-yet unknown extent, and other cyber criminals will want nothing to do with that.”
The situation continues unfolding.
“These actions are not the culmination of our efforts, they are just the beginning,” said DOJ Criminal Division Acting Assistant Attorney General Nicole Argentieri in a statement. “… Going forward, we will continue our investigation and pursue those behind BlackCat until they are brought to justice.”
The U.S. has previously been involved in efforts to arrest ransomware perpetrators — including individuals associated with gangs where many of BlackCat’s operators are believed to have worked previously.
According to Krebs, a number of operators may have come to BlackCat from REvil, BlackMatter and DarkSide. The U.S. and allies arrested REvil affiliates in 2021. The same year, BlackMatter said it would shut down following “pressure from the authorities,” per TechCrunch. DarkSide — which was behind the 2021 Colonial Pipeline attack — also said in 2021 that it would shut down, after servers were seized and funds stolen, Krebs reported.
