Fraud Management & Cybercrime
,
Ransomware
Agency Developed a Tool to Decrypt the Systems of More Than 500 Victims
U.S. authorities seized dark web infrastructure of the BlackCat ransomware-as-a-service group although the Russian-speaking threat actor said it has reestablished operations.
See Also: APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations
The data leak site of the ransomware group, also known as Alphv, as well as its Tox peer-to-peer instant messaging account, went offline Dec. 7, prompting speculation of a law enforcement operation (see: Ransomware Group Offline: Have Police Seized Alphv/BlackCat?).
Security researchers said BlackCat has listed more than 650 victims on its data leak site since launching in late 2021 as a spinoff of the now-defunct Conti ransomware group. Victims include operators of U.S. critical infrastructure. In March, it leaked images of breast cancer patients disrobed from the waist up stolen from a Pennsylvania-based healthcare group (see: BlackCat Leaking Patient Data and Photos Stolen in Attack).
As part of the seizure operation, the FBI developed a decryption tool that could decrypt the systems of more than 500 victims, the U.S. Department of Justice said.
A BlackCat representative downplayed the seizure, according to a screenshot of a conversation with vx-underground stating that the FBI had “a stupid old key from an old blog.” An apparent new leak site with a handful of listings dated as recently as Monday is active.
A court filing shows the FBI had infiltrated the ransomware operator through a confidential informant who posed as an affiliate. Through the informant, the FBI was able to download 946 BlackCat victim communication sites, leak sites and affiliate panels accessible through the Tor network.
The ransomware group has recently embraced a new tactic to pressure victims into paying. It now says it will inform U.S. federal regulators about a ransomware infection unless it receives an extortion payment. As of Monday, publicly traded U.S. large and medium-sized companies must disclose most “material cybersecurity incidents” within four business days of determining materiality (see: SEC Votes to Require Material Incident Disclosure in 4 Days).).
Security researchers believe that BlackCat began as a reboot of a notorious group known as BlackMatter, which was itself a rebrand of DarkSide. BlackMatter announced in November 2021 that it was shutting down.
The U.S. government fingered DarkSide for a 2021 ransomware attack on Colonial Pipeline that disrupted the gasoline supply in the southeastern United States. DarkSide shut down operations after saying in May 2021 that it had lost access to the public part of its infrastructure. The Justice Department in June 2021 seized nearly 64 bitcoins that Colonial Pipeline had used to pay a ransom.