ALPHV/BlackCat Ransomware Operation Disrupted by FBI
The ALPHV/BlackCat ransomware group has been disrupted by the Federal Bureau of Investigation, in partnership with Europol and law enforcement agencies in Denmark, Germany, Australia, Spain, Austria, the Netherlands, and the United Kingdom, in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.
ALPHV/BlackCat ransomware group first emerged in November 2021 and became one of the most prolific ransomware groups of recent years, second only to the LockBit ransomware group. ALPHV/BlackCat is a ransomware-as-a-service operation that uses affiliates to conduct attacks for a cut of any ransoms they generate. In its 2 years of operation, the group has claimed more than 1,000 victims worldwide and has collected hundreds of millions of dollars in ransom payments.
In early December 2023, the group’s Tor negotiation and data leak sites were taken offline which led to several security researchers suggesting that the group may have been the subject of a law enforcement operation, although a spokesperson for the group refuted those claims and said the websites were down due to a hosting issue. However, the U.S. Department of Justice (DoJ) has now confirmed that the outage was due to a law enforcement operation that saw the FBI successfully gain access to ALPHV’s infrastructure.
The law enforcement operation has been ongoing for several months. After breaching the servers, the FBI silently monitored operations and was able to obtain decryption keys, which allowed the FBI to develop a decryption tool that has helped more than 500 ALPHV victims decrypt their data without paying the ransom. According to the DoJ, the decryption tool has prevented the payment of around $68 million in ransom payments. The FBI was also able to seize the ALPHV data leak site, which now displays a banner stating the domain has been seized as part of an international law enforcement operation. The FBI obtained 946 public and private key pairs for the group’s affiliate panel, communication sites, and Tor sites that supported its operations.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
ALPHV/BlackCat started out under the name DarkSide in the summer of 2020 and was behind the ransomware attack on Colonial Pipeline in May 2021. The high-profile attack on a U.S. critical infrastructure organization attracted considerable attention from law enforcement, and the group promptly shut down its operation and reformed under the name BlackMatter. In June 2021, the Department of Justice announced that it had seized $2.3 million in cryptocurrency from the DarkSide affiliate responsible for the attack. The BlackMatter operation was short-lived and was shut down in November 2021 after a decryptor was developed and law enforcement seized its servers; and was immediately replaced with ALPHV/BlackCat, which has been highly active until the recent takedown.
“Today’s announcement highlights the Justice Department’s ability to take on even the most sophisticated and prolific cybercriminals,” said U.S. Attorney Markenzy Lapointe for the Southern District of Florida. “As a result of our office’s tireless efforts, alongside FBI Miami, U.S. Secret Service, and our foreign law enforcement partners, we have provided Blackcat’s victims, in the Southern District of Florida and around the world, the opportunity to get back on their feet and to fortify their digital defenses. We will continue to focus on holding the people behind the Blackcat ransomware group accountable for their crimes.”
“This is a huge win for law enforcement and the community. ALPHV was one of the most active ransomware-as-a-service (RaaS) programs and they worked with both Russian affiliates and English-speaking western affiliates,” Charles Carmakal, Mandiant Consulting CTO, Google Cloud, told The HIPAA Journal. “Some of the ALPHV affiliates are still active, however, including UNC3944 (Scattered Spider). We expect some affiliates will continue their intrusions as normal, but they will likely try to establish relationships with other RaaS programs for encryption, extortion, and victim shaming support.”
Update: December 20, 2023
The FBI and CISA have released an updated cybersecurity advisory on ALPHV/BlackCat, and the group has responded to the law enforcement operation and claims it is still active and is now playing hardball – Read more…
