Justice Department disrupts prolific ALPHV/Blackcat ransomware variant
Article continues below
Over the past 18 months, ALPHV/Blackcat has emerged as the second most prolific ransomware as a service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world.
Due to the global scale of these crimes, multiple foreign law enforcement agencies are conducting parallel investigations.
The FBI developed a decryption tool that allowed FBI field offices across the country and law enforcement partners around the world to offer over 500 affected victims the capability to restore their systems.
To date, the FBI has worked with dozens of victims in the United States and internationally to implement this solution, saving multiple victims from ransom demands totaling approximately $68 million.
As detailed in a search warrant unsealed yesterday in the Southern District of Florida, the FBI has also gained visibility into the Blackcat ransomware group’s computer network as part of the investigation and has seized several websites that the group operated.
“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,†said Deputy Attorney General Lisa O. Monaco.
“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online.
"We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.â€
According to the unsealed warrant, Blackcat actors have compromised computer networks in the United States and worldwide.
The disruptions caused by the ransomware variant have affected U.S. critical infrastructure – including government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities – as well as other corporations, government entities, and schools.
The loss amount globally is in the hundreds of millions and includes ransom payments, destruction and theft of proprietary data, and costs associated with incident response.
Blackcat uses a ransomware as a service model in which developers are responsible for creating and updating ransomware and for maintaining the illicit internet infrastructure. Affiliates are responsible for identifying and attacking high value victim institutions with the ransomware.
After a victim pays, developers and affiliates share the ransom.
Blackcat actors employ a multiple extortion model of attack. Before encrypting the victim system, the affiliate will exfiltrate or steal sensitive data.
The affiliate then seeks a ransom in exchange for decrypting the victim’s system and not publishing the stolen data.
Blackcat actors attempt to target the most sensitive data in a victim’s system to increase the pressure to pay. Blackcat actors rely on a leak site available on the dark web to publicize their attacks.
When a victim refuses to pay a ransom, these actors commonly retaliate by publishing stolen data to a leak website where it becomes publicly available.
The FBI Miami Field Office is leading the investigation.
Trial Attorneys Christen Gallagher and Jorge Gonzalez of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorneys Kiran Bhat and Brooke Watson for the Southern District of Florida are handling the case.
The Justice Department announced a disruption campaign against the Blackcat ransomware group also known as ALPHV or Noberus that has targeted the computer networks of more than 1,000 victims and caused harm around the world since its inception, including networks that support U.S. critical infrastructure.
Over the past 18 months, ALPHV/Blackcat has emerged as the second most prolific ransomware as a service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world.
Due to the global scale of these crimes, multiple foreign law enforcement agencies are conducting parallel investigations.
The FBI developed a decryption tool that allowed FBI field offices across the country and law enforcement partners around the world to offer over 500 affected victims the capability to restore their systems.
To date, the FBI has worked with dozens of victims in the United States and internationally to implement this solution, saving multiple victims from ransom demands totaling approximately $68 million.
As detailed in a search warrant unsealed yesterday in the Southern District of Florida, the FBI has also gained visibility into the Blackcat ransomware group’s computer network as part of the investigation and has seized several websites that the group operated.
According to the unsealed warrant, Blackcat actors have compromised computer networks in the United States and worldwide.
The disruptions caused by the ransomware variant have affected U.S. critical infrastructure – including government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities – as well as other corporations, government entities, and schools.
The loss amount globally is in the hundreds of millions and includes ransom payments, destruction and theft of proprietary data, and costs associated with incident response.
Blackcat uses a ransomware as a service model in which developers are responsible for creating and updating ransomware and for maintaining the illicit internet infrastructure. Affiliates are responsible for identifying and attacking high value victim institutions with the ransomware.
After a victim pays, developers and affiliates share the ransom.
Blackcat actors employ a multiple extortion model of attack. Before encrypting the victim system, the affiliate will exfiltrate or steal sensitive data.
The affiliate then seeks a ransom in exchange for decrypting the victim’s system and not publishing the stolen data.
Blackcat actors attempt to target the most sensitive data in a victim’s system to increase the pressure to pay. Blackcat actors rely on a leak site available on the dark web to publicize their attacks.
When a victim refuses to pay a ransom, these actors commonly retaliate by publishing stolen data to a leak website where it becomes publicly available.
The FBI Miami Field Office is leading the investigation.
Trial Attorneys Christen Gallagher and Jorge Gonzalez of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorneys Kiran Bhat and Brooke Watson for the Southern District of Florida are handling the case. ■