FBI develops decryptor for BlackCat ransomware, seizes gang's website
Crims laugh it off and resume their activity
Updated The FBI created a decryption tool for the ransomware used by the gang known as BlackCat and/or AlphV, as part of a wider disruption campaign against the extortionists.
The existence of the decryptor was revealed in a Tuesday announcement by the United States Department of Justice that reports the FBI has offered the tool to over 500 orgs and believes $68 million of ransom payments were avoided as a result.
The announcement came hours after one of BlackCat's dark web presences was overwritten with a seizure notice indicating an FBI-led operation had shuttered the online outpost.
That Tor-hidden blog – which ordinarily lists newly infected victims – went offline briefly earlier this month. It was not known why that outage occurred: it was believed law enforcement had somehow derailed the crew's activities.
It now looks as though that's exactly what happened: an unsealed affidavit [PDF] filed in support of an application for a search warrant states that US authorities "gained visibility into the BlackCat Ransomware Group's network" as well as extensive knowledge of its dark-web assets. The Feds said they were able to access 946 public-private key pairs for Tor-hidden sites the BlackCat gang used to communicate with victims and host its blog, plus the sites used to host leaked data and the control panels affiliates used to orchestrate malware infections.
In other words, it sounds as though the Feds were not only able to seize and shut down the ransomware-as-a-service crew's dark-web presence, agents also obtained enough internal info to provide decryption assistance to victims. The US Dept of Justice in its court paperwork talks of using a confidential human source to gain access to an affiliate-level control panel for the malware, and investigating from there, for instance.
The FBI operation was carried out in partnership with the plod in the UK and Australia, and Europol. Their probe into AlphV is ongoing and authorities have advised a reward may be offered to those who offer further information about the crew.
BlackCat has laughed off the campaign.
The gang, believed to be Russian, today boasted it had "unseized" its main dark-web site by pointing it at a web server the miscreants control, rather than an FBI one. The crew used its restored blog to name new alleged victims of its ransomware.
However, it's understood AlphV and the FBI both have the private key for the .onion address for this main site, allowing either side to take over the blog at any time. All through the day, they've been wrestling control of the dark-web site back and forth.
The initial seizure followed, as we said, a rare period of downtime for the ransomware gang's dark-web blog that started on December 7 and persisted for more than two days before mysteriously reappearing without a list of previous victims.
Yelisey Bohuslavkiy, chief research officer at threat intelligence company RedSense, at the time suggested BlackCat's affiliates and initial access brokers were convinced the outage was caused by a law enforcement takedown.
Bohuslavkiy went on to say that leaders at rival ransomware outfits held the same opinion before he highlighted the lack of an explanation provided by BlackCat.
- BlackCat ransomware crims threaten to directly extort victim's customers
- BlackCat claims it is behind Fidelity National Financial ransomware shakedown
- BlackCat plays with malvertising traps to lure corporate victims
- Data leak at major law firm sets Australia's government and elites scrambling
Brett Callow, threat analyst at Emsisoft, told The Register today the seizure likely marks the end of the BlackCat group in its current form – but it will probably return in a new guise.
"While a replacement domain has been created, AlphV's partners in crime will be wondering whether it's a honeypot set up by law enforcement," he predicted. "Realistically, it's very unlikely that any crims will want to continue working with an incompetent outfit which has a history of opsec. It's just too risky.
"They'll already be worried about whether any of the information law enforcement obtained during its operation can point to their real-world identities.
"Alas, while this is likely the end for the AlphV brand, the individuals behind it will probably start up a new one. The only question is, what will they call themselves next?"
In a statement sent to The Register, a spokesperson for the UK's National Crime Agency (NCA) wrote: "Ransomware is the most significant cyber threat globally, and AlphV/BlackCat is one of the most damaging ransomware strains to have impacted the UK in recent months.
"The NCA, alongside the Eastern Region Special Operations Unit, worked closely with the FBI and other international partners over the past year, sharing intelligence which contributed to the disruption of this criminal group.
"We continue to support UK-based victims of ALPHV attacks and would encourage anyone who thinks they have been targeted to come forward and report it. Further support and advice on protecting yourself from ransomware can be found at NCSC.gov.uk." ®
Updated to add
AlphV's old domain is once again pointing to a page controlled by the ransomware group. The FBI seizure splash page is no longer displayed and has been replaced with an official statement from the gang, along with a link to its primary site hosted on a different domain.
Consistent with the unsealed affidavit, AlphV's statement said the FBI took down one of the crew's datacenters, allegedly with the help of one of its hosters – a claim that aligns with the authorities' mention of a confidential human source.
The FBI's claim of offering a decryptor to more than 500 victims has also been watered down by the group. According to the criminals, the number sits more at the 400 mark while still leaving 3,000 without a decryptor key.
Rival ransomware gang LockBit has entered the fray, according to Mandiant, which is trying to steal AlphV's affiliates during the weeks of turmoil within its ranks by advertising positions on underground forums. It's an apparent bid to gain an even greater share of the market it already dominates.
In response, AlphV has stated that affiliates will all keep 90 percent of the ransom fees they generate. Before, the payout to affiliates was believed to be in the 80-90 percent range, suggesting it's offering cash for loyalty.
AlphV also claimed to have lifted all internal rules regarding how affiliates can choose their targets, now opening up the possibility to attack US critical infrastructure. Only targets in the Commonwealth of Independent States are off-limits now.
"While this might be a short-term marketing strategy by AlphV, threats to target critical infrastructure have generally brought significant scrutiny against threat actors from law enforcement and governments and could lead to more aggressive actions against them in the future," said Kimberly Goody, Mandiant head of cybercrime analysis at Google Cloud.