ALPHV/BlackCat Claims Healthcare Restrictions Removed for Affiliates
In response to the law enforcement operation that resulted in the seizure of its websites, the ALPHV/BlackCat ransomware group has removed virtually all restrictions on affiliates and said discounts and extensions have stopped, and patient data will now be published on its leak site.
The Department of Justice (DoJ) recently announced that the Federal Bureau of Investigation was able to gain access to the infrastructure of the ALPHV/BlackCat ransomware group, which allowed it to seize the websites used for communication, data leaks, and negotiations and obtain the decryption keys to help around 500 victims recover from attacks. The decryption tool developed by the FBI has saved around $68 million in ransom payments, according to the DoJ.
According to the search warrant, the FBI engaged with a confidential human source (CHS) to sign up to become an affiliate of the group. After an interview with the operators, the CHS was provided with credentials to access the backend affiliate portal, thus giving the FBI access to the portal. The FBI was able to obtain 946 public/private key pairs for the group’s Tor sites that were used to host victim communication sites, leak sites, and affiliate panels.
Updated ALPHV/BlackCat Cybersecurity Advisory Published
A joint cybersecurity advisory has been issued by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) that updates its April 2022 advisory about ALPHV. The latest advisory includes updated information on the tactics, techniques, and procedures (TTPs) associated with the group and Indicators of Compromise (IoCs) from FBI investigations as recently as December 6, 2023. Healthcare organizations are strongly advised to implement the recommended mitigations as while the law enforcement operation was a success and caused disruption, the ALPHV group claims it is still operational. Based on its response, the group has now decided to play hardball.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
ALPHV Responds by Removing Restrictions
ALPHV is also able to access its sites and responded with an update of its own, stating on its leak site that the website has been unseized. The group provided its side of the story, claiming that the FBI only gained access to the decryption keys from the previous month and a half – around 400 victims. The group said it has attacked more than 3,000 companies and that as a result of the FBI’s actions, the decryption keys for those will never be released.
In the angry message, the group said it has now removed all but one of the restrictions for affiliates. Affiliates will still not be permitted to conduct any attacks on targets in the Commonwealth of Independent States, but all other restrictions have been removed. “You can now block hospitals, nuclear power plants, anything and anywhere,” wrote the group. In the post, ALPHV said it will no longer offer discounts on ransom demands, will not provide any time extensions, and that if patient data is stolen, it will no longer be removed and will be uploaded to its data leak site. The group also claimed it will always notify the SEC and the HHS in the event of no initial contact.
A rebrand may still be on the cards, but based on the response, the group is still operational and now plans to be even more vindictive. ALPH said if victims do not make contact before they are added to its blog, stolen data will be leaked and the families of executive teams and employees will be harassed – “even your young children are not exempt,” wrote ALPHV.
