Skip links

FBI develops decryptor for BlackCat ransomware, seizes gang’s website

The FBI created a decryption tool for the ransomware used by the gang known as BlackCat and/or AlphV, as part of a wider disruption campaign against the extortionists.

The existence of the decryptor was revealed in a Tuesday announcement by the United States Department of Justice that reports the FBI has offered the tool to over 500 orgs and believes $68 million of ransom payments were avoided as a result.

The announcement came hours after one of BlackCat’s dark web presences was overwritten with a seizure notice indicating an FBI-led operation had shuttered the online outpost.

That Tor-hidden blog – which ordinarily lists newly infected victims – went offline briefly earlier this month. It was not known why that outage occurred: it was believed law enforcement had somehow derailed the crew’s activities.

It now looks as though that’s exactly what happened: an unsealed affidavit [PDF] filed in support of an application for a search warrant states that US authorities “gained visibility into the BlackCat Ransomware Group’s network” as well as extensive knowledge of its dark-web assets. The Feds said they were able to access 946 public-private key pairs for Tor-hidden sites the BlackCat gang used to communicate with victims and host its blog, plus the sites used to host leaked data and the control panels affiliates used to orchestrate malware infections.

In other words, it sounds as though the Feds were not only able to seize and shut down the ransomware-as-a-service crew’s dark-web presence, agents also obtained enough internal info to provide decryption assistance to victims. The US Dept of Justice in its court paperwork talks of using a confidential human source to gain access to an affiliate-level control panel for the malware, and investigating from there, for instance.

Seziure notice placed by the FBI on AlphV/BlackCat's old leak site

Seizure notice placed by the FBI on AlphV/BlackCat’s dark-web blog

The FBI operation was carried out in partnership with the plod in the UK and Australia, and Europol. Their probe into Alphv is ongoing and authorities have advised a reward may be offered to those who offer further information about the crew.

Nine lives

BlackCat has laughed off the campaign.

The gang, believed to be Russian, today boasted it had “unseized” its main dark-web site by pointing it at a web server it controls, rather than an FBI one. The crew has already used its restored blog to name new alleged victims of its ransomware.

It’s understood Alphv and the FBI both have the private key for the .onion address for this main site, allowing either side to take control of the site at any time. All through the day, they’ve been wrestling control of the dark-web site back and forth.

The initial seizure followed, as we said, a rare period of downtime for the ransomware gang’s dark-web blog that started on December 7 and persisted for more than two days before mysteriously reappearing without a list of previous victims.

Yelisey Bohuslavkiy, chief research officer at threat intelligence company RedSense, at the time suggested BlackCat’s affiliates and initial access brokers were convinced the outage was caused by a law enforcement takedown.

Bohuslavkiy went on to say that leaders at rival ransomware outfits held the same opinion before he highlighted the lack of an explanation provided by BlackCat.

Brett Callow, threat analyst at Emsisoft, told The Register today the seizure likely marks the end of the BlackCat group in its current form – but it will probably return in a new guise.

“While a replacement domain has been created, AlphV’s partners in crime will be wondering whether it’s a honeypot set up by law enforcement,” he predicted. “Realistically, it’s very unlikely that any crims will want to continue working with an incompetent outfit which has a history of opsec. It’s just too risky.

“They’ll already be worried about whether any of the information law enforcement obtained during its operation can point to their real-world identities.

“Alas, while this is likely the end for the AlphV brand, the individuals behind it will probably start up a new one. The only question is, what will they call themselves next?”

In a statement sent to The Register, a spokesperson for the UK’s National Crime Agency (NCA) wrote: “Ransomware is the most significant cyber threat globally, and AlphV/BlackCat is one of the most damaging ransomware strains to have impacted the UK in recent months.

“The NCA, alongside the Eastern Region Special Operations Unit, worked closely with the FBI and other international partners over the past year, sharing intelligence which contributed to the disruption of this criminal group.

“We continue to support UK-based victims of ALPHV attacks and would encourage anyone who thinks they have been targeted to come forward and report it. Further support and advice on protecting yourself from ransomware can be found at”

This is a breaking story. The Register is expecting further input from the UK’s National Crime Agency (NCA) and will update the article when new information becomes available. ®