The takedown of the ALPHV/BlackCat ransomware group’s leak site has been confirmed as a result of global law enforcement action.
The FBI is now urging over 500 of the group’s victims to come forward to receive a decryption key that will enable them to restore their systems.
A notice on the notorious Ransomware-as-a-Group’s (RaaS) website states that ‘This Website Has Been Seized.’
It adds: “The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against ALPHV Blackcat Ransomware.”
The US Department of Justice (DoJ) confirmed the law enforcement disruption campaign in a statement on December 19, 2023.
The DoJ revealed that the FBI has worked with dozens of victims in the US and internationally to develop a decryption tool, which they believe will save multiple victims from ransom demands totaling approximately $68m.
Tim West, Head of Cyber Threat Tntelligence at WithSecure, commented: "There is no doubt that this action was incredibly complex and coordinated, required a significant amount of planning and collaboration. It will almost certainly damage the Blackcat/AlphV brand, perhaps beyond repair."
More Websites Seized
Through the investigation, the FBI has gained more visibility into the BlackCat group’s computer network, enabling it to seize several more websites it operates.
Deputy Attorney General Lisa O. Monaco commented: “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”
Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department’s Criminal Division vowed to continue the investigation and pursue those behind BlackCat until they are brought to justice.
“Criminal actors should be aware that the announcement today is just one part of this ongoing effort,” she warned.
The DoJ also recognized the critical cooperation of Europol and German and Danish law enforcement in the action, alongside other national police agencies.
It was first reported in early December 2023 that BlackCat was experiencing online disruption, which cybersecurity commentators quickly attributed to law enforcement action.
Cybersecurity Expert Analysis on BlackCat Takedown
On December 18, ZeroFox released an analysis of BlackCat’s activities from January 2022 to October 2023, finding that it was the second-most leveraged strain in North America and Europe over the period, behind only LockBit. Meanwhile, WithSecure found the BlackCat group to be responsible for 8.82% of attacks in 2023.
While welcoming the takedown of the group’s leak site, Daniel Curtis, Senior Intelligence Analyst at ZeroFox, emphasized that it will likely only result in a temporary suppression of the threat from its operatives.
“If unable to continue deploying the strain, ALPHV affiliates will very likely quickly pivot to other R&DE offerings and continue targeting victims at scale and at pace,” he noted.
Michael McPherson, SVP Technical Operations ReliaQuest and former FBI special agent, said the law enforcement action is a body-blow to the ransomware ecosystem but by no means a knockout punch.
“In the aftermath of such large-scale law enforcement disruptions, uncertainty permeates criminal organizations. In previous similar cases, the targeting of a ransomware group has typically resulted in operations ceasing, before members moved to other ransomware programs, or formed new groups. It is likely that this will spell the end of ALPHV as a criminal outfit. However, as noteworthy as this disruption is, there is no mention of any corresponding arrests,” he commented.
Nevertheless, McPherson believes the potential permanent removal of ALPHV is likely to be a significant short-term disruption to ransomware globally.
However, WithSecure's West commented: "Although diminished, ALPHV/Black Cat will likely hit corporations as they did in 2023, and from our research, we know that new ransomware groups form when the more established groups feel the squeeze from law enforcement."
Experts also lauded the US government's support for victims of BlackCat, which Raj Samani, SVP and Chief Scientist at Rapid7 said is a vital component of disincentivizing other ransomware attackers.
"In all cases of cybercrime, it is vital to never pay the ransom. It’s therefore great to see proactive support from the US government through the FBI’s free decryption tool to restore systems. Providing proactive solutions not only works to undercut the economic incentive for such attacks, but reminds victims that when cybercrime is reported it is taken seriously, and international law enforcement are working to disrupt these groups,” he outlined.