Technology News - In a significant move, the U.S. Justice Department (DoJ) has officially declared the disruption of the notorious BlackCat ransomware operation, unveiling a decryption tool that over 500 affected victims can now utilize to regain access to files previously locked by the malware.
Court documents reveal that the U.S. Federal Bureau of Investigation (FBI) orchestrated a strategic intervention by enlisting a confidential human source (CHS) to operate as an affiliate within the BlackCat group. This unconventional approach allowed the FBI to gain access to the gang web panel, essentially hacking the hackers themselves.
The operation witnessed a collaborative effort involving law enforcement agencies from the U.S., Germany, Denmark, Australia, the U.K., Spain, Switzerland, and Austria.
Initially emerging in December 2021 under aliases such as ALPHV, GOLD BLAZER, and Noberus, BlackCat quickly rose to become the world second most prolific ransomware-as-a-service variant after LockBit. Notably, it marked the first appearance of a Rust-language-based ransomware strain in the wild.
The conclusion of this operation dispels earlier speculations of law enforcement action, sparked when BlackCat dark web leak portal went offline on December 7, only to resurface five days later with a sole victim.
Working closely with numerous victims in the U.S., the FBI implemented the decryptor, sparing them from ransom demands totaling approximately $68 million. The agency also gained valuable insights into the ransomware network, acquiring 946 public/private key pairs that were instrumental in dismantling the TOR sites operated by the group.
It is crucial to note that the creation of a hidden service with the .onion URL on the TOR network involves generating a unique key pair. BlackCat, like other ransomware groups, employed a ransomware-as-a-service model, combining core developers with affiliates who rented out the payload and targeted high-value victim institutions. The group also employed the double extortion scheme, adding pressure on victims by exfiltrating sensitive data before encryption.
According to the DoJ, BlackCat affiliates gained initial access to victim networks through various methods, including leveraging compromised user credentials.
Estimates suggest that this financially motivated actor compromised over 1,000 victims worldwide, accumulating nearly $300 million in illegal revenues by September 2023.
Despite the takedown, rival groups like LockBit are quick to seize opportunities. LockBit is actively recruiting displaced BlackCat affiliates, even offering its data leak site to resume victim negotiations.
In response to the intervention, a BlackCat spokesperson stated that they have relocated servers and blogs. The group claims that law enforcement agencies only had access to an outdated key for the old blog site, which had been deleted long ago.
While the threat actor newest leak website remains operational, the FBI has successfully re-seized the main leak site. In a retaliatory move, BlackCat has given affiliates permission to target critical infrastructure entities, excluding those within the Commonwealth of Independent States (CIS). The FBI has since regained control of the website.
In a candid conversation with vx-underground, a LockBit administrator expressed concerns about security loopholes in their infrastructure, labeling them as a primary threat to their business in the wake of this unfolding situation.
——— End of Article ———
