The U.S. Department of Justice (DoJ) officially announced the discontinuation of the BlackCat ransomware operation and released a decryption tool that more than 500 affected victims could use to regain access to files locked by the malware.
The FBI enlisted the help of classified personnel (CHS) to act as an affiliate of the BlackCat organization and gain access to a network panel used to manage the gang’s victims, a hacking incident that revealed court documents reveal .
The seizure was carried out with the cooperation and assistance of multiple law enforcement agencies in the United States, Germany, Denmark, Australia, the United Kingdom, Spain, Switzerland and Austria.
BlackCat, also known as ALPHV, GOLD BLAZER and Noberus, first appeared in December 2021 and has since become the second most prolific ransomware-as-a-service variant in the world after LockBit. This is also the first Rust-based ransomware strain discovered in the wild.
The development ends speculation about a rumored law enforcement action after its dark web leaks portal went offline on December 7, only to reappear five days later with only one victim.
The FBI said it worked with dozens of victims in the U.S. to implement the decryption program, saving them from ransom demands totaling about $68 million, and also gained insights into the ransomware’s computer network, allowing it to collect the ransomware used. 946 public/private key pairs hosted TOR websites operated by the group and dismantled them.
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
One important thing to note here is that using a .onion URL to set up a hidden service on the TOR anonymity network results in a unique key pair containing a private and public key (also known as identifier).
Therefore, a participant with a key pair can broadcast a new route that redirects traffic to the .onion website to another server under their control.
BlackCat, like several other ransomware gangs, operates on a ransomware-as-a-service model involving core developers and affiliates who rent payloads and are responsible for identifying and attacking high-value victim organizations.
It also uses a dual extortion scheme to pressure victims into paying by exfiltrating sensitive data before encrypting it.
“BlackCat affiliates gained initial access to victim networks through multiple methods, including leveraging compromised user credentials to gain initial access to victim systems,” the DOJ said.
All told, as of September 2023, this financially motivated attacker is estimated to have compromised the networks of more than 1,000 victims worldwide, earning nearly $300 million in illicit revenue.
 |
| Image source: Resecurity |
If anything, the takedown is a blessing in disguise for competitors like LockBit, which was already taking advantage of the situation by actively recruiting displaced affiliates and providing data exfiltration sites to resume victim negotiations.
BlackCat spokesperson in an interview with vx-underground, a malware research organization explain “They have moved the server and the blog,” claiming that law enforcement agencies only have access to a “stupid old key” to the old blog site, which was deleted by the group long ago and has not been used since.
As of this writing, the threat actor’s latest leak site is still operational. “On December 13, the group announced the first victim on its new leaked website,” Secureworks said. “As of December 19, information on five victims had been posted on the new website, indicating that the group retained Developed certain operational capabilities.”
However, hours after the shutdown, the BlackCat group took steps to “unblock” the main leak site, using the same set of encryption keys required to host hidden services on the TOR network, and issued its own seizure notice.
As a retaliatory measure, it has also given the green light to affiliates to infiltrate critical infrastructure entities such as hospitals and nuclear power plants, as well as targets other than those within the Commonwealth of Independent States (CIS). The FBI has since regained control of the site.
The Secureworks Counter Threat Unit (CTU) told The Hacker News: “These threats may seem like a ‘now you’ve done it’ gesture, but the group already has a history of attacking healthcare and energy infrastructure targets, so it feels like Like roaring.”
“Given that such activity seems more likely to attract the attention of law enforcement (which is why many organizations explicitly avoid doing so), it seems unlikely that affiliates would choose to specifically target such organizations, especially since ransomware is largely It is a crime of opportunity and is based on available access to the victim’s network.”
“That said, some less risk-averse affiliates may prefer to target energy and healthcare organizations. On the other hand, the uncertainty caused by the enforcement disruption will likely force affiliates to stay away from BlackCat and invest in other organizations’ Embrace.” ransomware operators such as LockBit. Such interference can breed distrust and paranoia among ransomware group members and affiliates. “
In a conversation with vx-underground, LockBit Admin describe This situation is “unfortunate” and security vulnerabilities in its infrastructure are a major threat to “my business”.
(This story was updated after publication to include more information about the infrastructure seizure.)
