20 December 2023

US seizes ALPHV/BlackCat darknet website, releases decryption tool


US seizes ALPHV/BlackCat darknet website, releases decryption tool

The US authorities announced the disruption campaign against the prolific Russian-speaking ALPHV/BlackCat ransomware group that compromised more than 1,000 victims worldwide, receiving more than $300 million in ransom payments.

The group’s darkweb website front page was replaced by the message that the site was seized by law enforcement authorities. However, mere hours after the FBI announced the takedown, the group posted a message claiming that they “unseized” their website. The ransomware actors shared their version of the events, saying that the FBI compromised one of their domain controllers. They also said they are removing almost all rules from their affiliate program, allowing affiliates to target critical infrastructure.

“Because of their actions, we are introducing new rules, or rather, removing all the rules except one, you can not touch the CIS, you can now block hospitals, nuclear power plants, anything and anywhere,” the group wrote.

As part of the operation, the FBI developed a decryption tool for victims to restore their data. The agency said it worked with dozens of victims in the US to implement the decryptor, saving them from ransom demands totaling about $68 million, and that it also gained insight into the ransomware's computer network, allowing it to collect 946 public/private key pairs used to host the Tor sites operated by the group and dismantle them.

According to an unsealed search warrant, the FBI has gained visibility into the BlackCat ransomware group’s operations thanks to a Confidential Human Source (“CHS”), who responded to the BlackCat ad on a publicly-assessible online forum and, after being interviewed by the ransomware operators, has become an affiliate. The informant has been given access credentials to a BlackCat affiliate panel, available at a unique Tor address.

Under a separate federal search warrant, the FBI accessed the BlackCat panel to determine how it operated.

“At the top of the menu bar is a “Dashboard” button which, when selected, displays information in grid format showing a summary and status of each victim entity,” the document explains. “If the affiliate is actively engaging with a victim infected with Blackcat ransomware, they can select the entity using the Dashboard or select the “Campaigns” button in the menu bar. From the Campaigns screen, affiliates can see the victim entity, full ransom price demanded, discount ransom price, expiration date, cryptocurrency addresses, cryptocurrency transactions, type of computer system compromised, ransom demand note, chats with the victim, and more. These features allow affiliates to engage the victim throughout the entire negotiation process.”

Using access to the dashboard, the FBI was able to obtain 946 public/private key pairs for Tor sites that BlackCat used to host victim communication sites, leak sites, and affiliate panels.

Separately, the US Cybersecurity and Infrastructure Security Agency (CISA) has published a security advisory containing updated Indicators of Compromise (IoCs) associated with the BlackCat Ransomware 2.0 Sphynx version released in February 2023.

Back to the list

Latest Posts

Cisco says decade-old bug in ASA appliances exploited in the wild

Cisco says decade-old bug in ASA appliances exploited in the wild

The activity involving CVE-2014-2120 has been linked to the Mozi botnet.
3 December 2024
North Korea's Kimsuky group employs Russian sender addresses in phishing campaigns

North Korea's Kimsuky group employs Russian sender addresses in phishing campaigns

The objective of the attacks is credential theft, enabling Kimsuky to hijack victim accountsю
3 December 2024
Japanese crypto exchange DMM Bitcoin to shut down following $305M hack

Japanese crypto exchange DMM Bitcoin to shut down following $305M hack

It is believed that the North Korean state-backed threat actor Lazarus Group was behind the hack.
3 December 2024