The FBI has recently revealed that it has successfully infiltrated the notorious Russian-based ransomware gang known as ALPHV and BlackCat. The agency seized the gang’s darknet website and provided a decryption tool to over 500 affected victims, allowing them to restore their systems.
The news of possible law enforcement action against BlackCat first emerged in early December, after the ransomware group’s darknet site went offline for approximately five days. The site was eventually restored, but earlier today, it was replaced with an FBI seizure notice. Federal prosecutors in Florida also released a search warrant detailing how FBI agents gained access to and disrupted the group’s operations.
In response to the FBI’s actions, BlackCat briefly regained control over its darknet server and released a statement promising 90 percent commissions for affiliates who continue to work with the group. Additionally, the group declared open season on everything from hospitals to nuclear power plants, removing any restrictions or discouragement against targeting critical infrastructure.
The Department of Justice released a statement on the operation, explaining that the FBI-developed decryption tool allowed businesses, schools, and health care services to reopen and come back online. Since its formation 18 months ago, BlackCat has targeted the computer networks of over 1,000 victim organizations, typically involving encryption and theft of data.
BlackCat operates under the “ransomware-as-a-service” model, where development teams maintain and update the ransomware code, and affiliates are incentivized to attack high-value targets. The group was formed by recruiting operators from other ransomware organizations, including REvil, BlackMatter, and DarkSide, which was responsible for the Colonial Pipeline attack in May 2021.
The crime group’s darknet site currently displays the FBI seizure notice. However, both the FBI and BlackCat have private keys associated with the Tor hidden service URL for BlackCat’s victim shaming and data leak site. As a result, there is expected to be further back and forth control over the URL in the coming days.
The DOJ is offering a reward of up to $10 million for information about BlackCat affiliates or their activities through the State Department’s “Rewards for Justice” program. The program accepts submissions through a Tor-based tip line.
Overall, the FBI’s successful infiltration of BlackCat and the disruption of its operations has provided hundreds of victims with the ability to restore their systems. However, with the group’s response promising increased commissions for affiliates and open season on critical infrastructure, the situation is likely to continue evolving in the coming days.