Skip links

AlphV/BlackCat hacked back as feds offer decryptor to ransomware victims

The US Justice Department is passing a decryptor to more than 500 victims of AlphV/BlackCat’s ransomware following a disruption campaign.

It believes the decryptor, which will allow victims to recover from ransomware for free, will prevent $68 million in ransom payments from being made.

“Today’s announcement highlights the Justice Department’s ability to take on even the most sophisticated and prolific cybercriminals,” said US Attorney Markenzy Lapointe of the Southern District of Florida.

“As a result of our office’s tireless efforts, alongside FBI Miami, US Secret Service, and our foreign law enforcement partners, we have provided BlackCat’s victims, in the Southern District of Florida and around the world, the opportunity to get back on their feet and to fortify their digital defenses. We will continue to focus on holding the people behind the BlackCat ransomware group accountable for their crimes.”

The announcement comes hours after BlackCat’s old leak site was defaced with a seizure notice indicating an FBI-led operation was responsible for bringing it down.

Seziure notice placed by the FBI on AlphV/BlackCat's old leak site

Seizure notice placed by the FBI on AlphV/BlackCat’s old leak site

The operation was carried out in partnership with authorities from the UK, Australia, and Europol, who have together said those who come forward with information about BlackCat, its affiliates, or its activities, may be eligible for a reward.

The ransomware giant’s most recent website remains operational, though, and has posted new victims in the past few hours at the time of writing, which raises questions about the extent to which the disruption campaign has achieved its objectives.

It’s a confusing turn of events that leaves the state of AlphV/BlackCat’s survival up in the air.

This is a breaking story. The Register is expecting further input from the UK’s National Crime Agency (NCA) and will update the article when new information becomes available.

Speaking to vx-underground, a group that collects malware source code and samples, an AlphV/BlackCat spokesperson said it’s in the process of moving its servers and leak blog.

An AlphV admin said the law enforcement agencies only had access to a “stupid old key” for the old blog site which was deleted by the group a long time ago and has since not been used.

The seizure follows a rare period of downtime for the ransomware gang’s leak blog that started on December 7 and persisted for more than two days before coming back with all victims erased.

The domain has not changed but Yelisey Bohuslavkiy, chief research officer at threat intelligence company RedSense, said at the time that BlackCat’s affiliates and initial access brokers were convinced the outage was caused by a law enforcement takedown.

Bohuslavkiy went on to say that leaders at rival ransomware outfits were also of the same opinion before he highlighted the lack of an explanation provided by BlackCat.

Brett Callow, threat analyst at Emsisoft, told The Register that the seizure likely marks the end of the AlphV group as the industry knows it, but like others before, the group will probably return under a new guise.

“While a replacement domain has been created, AlphV’s partners in crime will be wondering whether it’s a honeypot set up by law enforcement,” he said. “Realistically, it’s very unlikely that any crims will want to continue working with an incompetent outfit which has a history of opsec. It’s just too risky.

“They’ll already be worried about whether any of the information law enforcement obtained during its operation can point to their real-world identities.

“Alas, while this is likely the end for the AlphV brand, the individuals behind it will probably start up a new one. The only question is, what will they call themselves next?”

A spokesperson for the UK’s National Crime Agency (NCA) said in a statement to The Register: “Ransomware is the most significant cyber threat globally, and ALPHV/BLACKCAT is one of the most damaging ransomware strains to have impacted the UK in recent months.

“The NCA, alongside the Eastern Region Special Operations Unit, worked closely with the FBI and other international partners over the past year, sharing intelligence which contributed to the disruption of this criminal group.

“We continue to support UK-based victims of ALPHV attacks and would encourage anyone who thinks they have been targeted to come forward and report it.

“Further support and advice on protecting yourself from ransomware can be found at NCSC.gov.uk.” ®

Source