Info@NationalCyberSecurity
Info@NationalCyberSecurity

FBI leads Alphv/BlackCat takedown, decrypts victims’ data | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware


Using a confidential informant and self-developed decryption tool, law enforcement agencies have disrupted the notorious Alphv/BlackCat ransomware gang.

In a press release Tuesday, the Department of Justice (DOJ) announced a coordinated takedown of BlackCat operations led by the FBI with involvement from Europol and authorities from Germany, Denmark, Australia, Spain, United Kingdom, Austria and Switzerland. During the disruption campaign, the FBI developed a decryption tool to help affected victims and, aided by an informant, seized several BlackCat operated websites.

“Over the past 18 months, ALPHV/Blackcat has emerged as the second most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world,” the Justice Department wrote in the press release. “Due to the global scale of these crimes, multiple foreign law enforcement agencies are conducting parallel investigations.”

Victims range from government entities and healthcare organizations to schools, defense industrial base companies and critical manufacturing facilities. Two of the gang’s more recent victims include MGM Resorts and Henry Schein Inc., a healthcare organization that suffered two BlackCat attacks in just one month.

To seize the websites, the FBI engaged an informant or “confidential human source” who applied to be a BlackCat affiliate by answering several technical proficiency questions, according to a search warrant unsealed Tuesday. Once the informant was accepted as an affiliate and gained privileged access to the group’s website, the credentials were handed over to the FBI.

The search warrant, filed to the Southern District of Florida on December 11, revealed what the FBI discovered using the privileged access.

“During this investigation, law enforcement gained visibility into the Blackcat Ransomware Group’s network. As a result, the FBI identified and collected 946 public/private key pairs for Tor sites that the Blackcat Ransomware Group used to host victim communication sites, leak sites and affiliate panels like the one described above,” the FBI wrote in the search warrant.

Like other ransomware-as-a-service gangs, BlackCat operates a public leak site used to pressure victims into paying. The site is also used for ransomware negotiations. However, the access granted from the informant provided the FBI with even more insight into their operations. The FBI discovered BlackCat used Tor-based web panels where affiliates and developers planned attacks shrouded in secrecy. They used the panels to manage attacks, tracking everything from ransomware deployment and negotiations to the decryption of victim data.

“From the Campaigns screen, affiliates can see the victim entity, full ransom price demanded, discount ransom price, expiration date, cryptocurrency addresses, cryptocurrency transactions, type of computer system compromised, ransom demand note, chats with the victims and more,” the warrant read. “These features allow affiliates to engage the victim throughout the entire negotiation process.”

Decrypting data

In addition to seizing BlackCat operated websites, the FBI revealed it also developed a decryption tool to help BlackCat victims recover from attacks without paying a ransom. The tool was offered to over 500 affected victims globally, and the FBI said it’s worked with dozens of U.S. and international victims so far.

The DOJ estimated it saved victims $68 million in ransom demand payments. In a statement on the press release, Deputy Attorney General Lisa Monaco said the decryptor was used to bring businesses, schools, healthcare and emergency services back online.

The FBI is offering a reward for information on BlackCat and its affiliates.

In a series of posts to X, formerly Twitter, on Tuesday, VX-Underground revealed BlackCat already created another website in response to the FBI takedown. The cybersecurity research collective, who claimed to be in communications with  gang’s operators, also outlined a timeline. It showed BlackCat’s primary domain was taken offline on Dec. 10, but the administrator attributed it to a hardware failure. Rumors of law enforcement action began circulating the same day, but the operators denied the allegations.

During communications with VX-Underground Tuesday, BlackCat claimed the site taken down by the FBI was an old domain.

“ALPHV has…unseized their domain? They claim the FBI compromised one of their domain controllers. Additionally, they state they are removing all rules from their affiliate program (omit the rule on targeting the CIS) allowing affiliates to target critical infrastructure,” VX-Underground wrote on X.

Alexander Leslie, threat researcher at Recorded Future, said the effectiveness of the takedown remains to be seen. While he believes it will significantly disrupt BlackCat’s administration and operations in the short term, there are multiple factors to consider for any lasting results.

For one, he highlighted BlackCat’s claims that it is continuing operations and “unseized” its primary blog from law enforcement. Now, the site redirects visitors to a new blog. On the other hand, Leslie said the disruption campaign could have a significant effect on BlackCat’s credibility since its long-term stability is dependent on retaining affiliates. Being infiltrated by an informant and taken down by government action will likely affect the gang’s reputation, which Leslie said could be difficult to recover from.

The group may respond by offering affiliates financial incentives or by implementing new rules related to negotiations and payment discounts. Other actions may include the targeting of more critical entities that could be more compelled to pay, Leslie added.

“But if law enforcement is able to effectively distribute decryption tools to future victims and continues to maintain visibility into the group’s operations—these consequences may never be seen. I don’t think it’s unrealistic to predict that Alphv might undergo a voluntary shutdown, rebranding, or splintering as a result of this law enforcement action,” Leslie said.

Jon DiMaggio, chief security strategist at threat intelligence vendor at Analyst1, agreed that Tuesday’s takedown effort was very effective. He also acknowledged its affect on the group’s reputation, saying if affiliates are afraid to trust BlackCat and its infrastructure, they won’t work for them. A lack of affiliates would affect the group’s ability to conduct attacks, he added.

“Even though the group has already stood up other infrastructure, the read I get from the underground forums frequented by ransomware actors and affiliates is that they are concerned BlackCat is compromised which will certainly affect the program,” DiMaggio said.

This month’s BlackCat server takedown is the latest in government actions to quell ransomware as the number of attacks continue to mount. In late November, Europol announced a coordinated effort led to the arrest of an alleged ransomware gang leader and four accomplices. The affiliate group had been active since 2018 and leveraged LockerGoga, MegaCortex, Hive and Dharma ransomware strains. They were allegedly responsible for causing $82 million in losses for victim organizations.

TechTarget Editorial contacted the FBI for additional information but a spokesperson said they had no further comment.

Arielle Waldman is a Boston-based reporter covering enterprise security news.



——————————————————–


Click Here For The Original Source.

National Cyber Security

FREE
VIEW