concept w - stock.adobe.com
ALPHV/BlackCat operation down, but maybe not out
Multinational law enforcement has targeted the operations of the notorious ALPHV/BlackCat cyber extortion gang, but the group’s members appear to remain defiant
A multinational, US-led operation has disrupted the operations of the ALPHV/BlackCat ransomware-as-a-service (RaaS) cartel, capping almost two weeks of speculation about the fate of the notorious cyber extortion operation, but at the same time causing more uncertainty as gang members move to minimise the impact.
A lengthy period of downtime for the BlackCat operation earlier in December had prompted speculation across the cyber security research community that the criminal gang had been disrupted or taken down by law enforcement agencies.
The gang’s Tor-based leak site first became inaccessible on Thursday 7 December and the outage persisted for several days, although for well over a week no law enforcement agency made any statement in regard to an action against the gang, which maintained that it was experiencing technical issues.
According to the takedown notice that initially replaced the gang’s leak site, the operation against BlackCat encompassed agencies from around the world, including Australia, Austria, Denmark, Germany, Spain, Switzerland and the UK’s National Crime Agency (NCA).
At the same time, tech experts at the FBI have developed a decryption tool for the gang’s ransomware locker, which has now been distributed to over 500 affected victims. According to the US Department of Justice, this has likely saved about $68m in ransom payments already.
“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” said US deputy attorney general Lisa Monaco.
“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and healthcare and emergency services were able to come back online. We will continue to prioritise disruptions and place victims at the centre of our strategy to dismantle the ecosystem fuelling cyber crime.”
Law enforcement win
Charles Carmakal, chief technology officer at Google Cloud’s Mandiant Consulting, said: “This is a huge win for law enforcement and the community. ALPHV was one of the most active ransomware-as-a-service programs and they worked with both Russian affiliates and English-speaking western affiliates.
“This action by law enforcement sends a very strong message to ALPHV affiliates and other threat actors. We anticipate continued law enforcement actions and wins throughout 2024.”
Does BlackCat have nine lives?
However, observed Carmakal, the disruption to the cartel’s operations may not yet extend across all of its affiliate groupings – those smaller players to which the core members sold the BlackCat locker in exchange for a cut of the profits.
“Some of the ALPHV affiliates are still active, however, including UNC3944 [Scattered Spider/Octo Tempest – the operation behind the September 2023 Las Vegas casino heists],” he said.
“We expect some affiliates will continue their intrusions as normal, but they will likely try to establish relationships with other RaaS programs for encryption, extortion, and victim shaming support,” said Carmakal.
Researchers from the Secureworks Counter Threat Unit (CTU) went further still, having uncovered evidence that in the two weeks that have passed since the disruption began, multiple other RaaS operators had offered to publish stolen data on behalf of BlackCat affiliates.
In one instance, said the CTU team, data stolen in a BlackCat attack which occurred just before 7 December was handed off to the INC ransomware crew to publish on their leak site.
Unseized
More concerningly, said the CTU team, several hours after the official takedown notice was published, BlackCat – which it tracks as Gold Blazer – responded with its own notice on the same site, saying it had been “unseized”, suggesting it retains a private key needed to host the service on the Tor network. This announcement was visible because the Tor network directs clients to the service that most recently “announced” itself.
The notice redirected visitors to a new blog site and a Russian-language announcement acknowledging the law enforcement operation and threatening vengeance.
In the gang’s statement, translated by Secureworks using automated services, the gang said the FBI had gained access to one of its datacentres, possibly by hacking into or collaborating with one of its hosters.
At a maximum, claimed BlackCat, the FBI has decryption keys for 400 victims dating back to early November, but because of this, it said, over 3,000 victims “will never receive their keys”.
As a result of this, the criminals threated, it has removed all rules dictating what targets its affiliates may attack, with the exception of those in the former Soviet Union, and will not offer discounts to victims that negotiate.
As of Tuesday 19 December, five victims have been posted to the new leak site, said Secureworks.
A BlackCat timeline
- February 2022: Preliminary reports from Germany’s national cyber authority indicate the recent OilTanking ransomware attack may have been the work of the emerging BlackCat group.
- February 2022: The BlackCat gang is trying to offload 1.6TB of data stolen from aviation services firm Swissport.
- April 2022: After several notable ransomware attacks against major enterprises, the BlackCat gang is drawing the attention of security researchers who have connected it to other groups.
- June 2022: BlackCat this week launched a website for victims' employees and customers to search for any stolen personal information following an attack.
- September 2022: Researchers from Symantec share fresh insight into the ongoing development of, and increasing danger from the ransomware-as-a-service family known variously as ALPHV, BlackCat and Noberus.
- April 2023: A BlackCat ransomware attack on the systems of payments giant NCR caused service outages for restaurants around the world.
- July 2023: Investigations continue into a claim by the ALPHV/BlackCat ransomware gang that it has stolen 7TB of data from Barts NHS Trust in London.
- July 2023: Cosmetics conglomerate Estée Lauder is experiencing operational disruption in the wake of a cyber attack that seems to involve two different cyber crime gangs, BlackCat and Clop.
- September 2023: The ALPHV/BlackCat ransomware operation claimed responsibility for an attack that forced MGM Resorts to shut down systems at some of Las Vegas’ most popular gambling venues.
- November 2023: Researchers at eSentire identified a wave activity from an ALPHV/BlackCat ransomware affiliate which has adopted a somewhat unusual approach to delivering its locker.
- November 2023: The ALPHV/BlackCat ransomware gang has added a new tactic to its playbook, reporting a victim to the US financial regulator as it goes to ever more extreme lengths in search of a pay-off.