The US authorities announced the disruption campaign against the prolific Russian-speaking ALPHV/BlackCat ransomware group that compromised more than 1,000 victims worldwide, receiving more than $300 million in ransom payments.
The group’s darkweb website front page was replaced by the message that the site was seized by law enforcement authorities. However, mere hours after the FBI announced the takedown, the group posted a message claiming that they “unseized” their website. The ransomware actors shared their version of the events, saying that the FBI compromised one of their domain controllers. They also said they are removing almost all rules from their affiliate program, allowing affiliates to target critical infrastructure.
“Because of their actions, we are introducing new rules, or rather, removing all the rules except one, you can not touch the CIS, you can now block hospitals, nuclear power plants, anything and anywhere,” the group wrote.
As part of the operation, the FBI developed a decryption tool for victims to restore their data. The agency said it worked with dozens of victims in the US to implement the decryptor, saving them from ransom demands totaling about $68 million, and that it also gained insight into the ransomware's computer network, allowing it to collect 946 public/private key pairs used to host the Tor sites operated by the group and dismantle them.
According to an unsealed search warrant, the FBI has gained visibility into the BlackCat ransomware group’s operations thanks to a Confidential Human Source (“CHS”), who responded to the BlackCat ad on a publicly-assessible online forum and, after being interviewed by the ransomware operators, has become an affiliate. The informant has been given access credentials to a BlackCat affiliate panel, available at a unique Tor address.
Under a separate federal search warrant, the FBI accessed the BlackCat panel to determine how it operated.
“At the top of the menu bar is a “Dashboard” button which, when selected, displays information in grid format showing a summary and status of each victim entity,” the document explains. “If the affiliate is actively engaging with a victim infected with Blackcat ransomware, they can select the entity using the Dashboard or select the “Campaigns” button in the menu bar. From the Campaigns screen, affiliates can see the victim entity, full ransom price demanded, discount ransom price, expiration date, cryptocurrency addresses, cryptocurrency transactions, type of computer system compromised, ransom demand note, chats with the victim, and more. These features allow affiliates to engage the victim throughout the entire negotiation process.”
Using access to the dashboard, the FBI was able to obtain 946 public/private key pairs for Tor sites that BlackCat used to host victim communication sites, leak sites, and affiliate panels.
Separately, the US Cybersecurity and Infrastructure Security Agency (CISA) has published a security advisory containing updated Indicators of Compromise (IoCs) associated with the BlackCat Ransomware 2.0 Sphynx version released in February 2023.