The U.S. Justice Department (DoJ) has officially announced the disruption of the BlackCat ransomware operation and released a decryption tool that victims can use to regain access to files locked by the malware.
Court documents show that the U.S. Federal Bureau of Investigation (FBI) enlisted the help of a confidential human source (CHS) to act as an affiliate for the BlackCat and gain access to a web panel used for managing the gang’s victims, in what’s a case of hacking the hackers.
BlackCat, also called ALPHV and Noberus, first emerged in December 2021 and has since gone on to be the second most prolific ransomware-as-a-service variant in the world after LockBit. It’s also the first Rust-language-based ransomware strain spotted in the wild.
The development puts an end to speculations of a rumored law enforcement action after its dark web leak portal went offline on December 7, only to resurface five days later with just a single victim.
The FBI said it worked with dozens of victims in the U.S. to implement the decryptor, saving them from ransom demands totaling about $68 million and that it also gained insight into the ransomware’s computer network, allowing it to collect 946 public/private key pairs used to host the TOR sites operated by the group and dismantle them.
BlackCat, like several other ransomware gangs, uses a ransomware-as-a-service model involving a mix of core developers and affiliates, who rent out the payload and are responsible for identifying and attacking high-value victim institutions.
It also employs the double extortion scheme to put pressure on victims to pay up by exfiltrating sensitive data prior to encryption.
“BlackCat affiliates have gained initial access to victim networks through a number of methods, including leveraging compromised user credentials to gain initial access to the victim system,” the DoJ said.
In all, the financially motivated actor is estimated to have compromised the networks of more than 1,000 victims globally to earn hundreds of millions of dollars in illegal revenues.
Image Source: Resecurity |
If anything, the takedown has proven to be a blessing in disguise for rival groups like LockBit, which is already capitalizing on the situation by actively recruiting displaced affiliates, offering its data leak site to resume victim negotiations.