Fraud Management & Cybercrime , Ransomware

BlackCat Ransomware 'Unseizing' a Dark Web Stunt

Ransomware Group Declares Nothing Off Limits Outside of CIS Countries
BlackCat Ransomware 'Unseizing' a Dark Web Stunt
The BlackCat/Alphv ransomware-as-a-service operation used dark web domain name resolution to its advantage. (Image: Shutterstock)

The BlackCat ransomware-as-a-service operation's putative "unseizing" of its leak site from the FBI is a stunt made possible by way the dark web handles address resolution, security researchers said Tuesday. The stunt was a "tactical error" that could alienate affiliates.

See Also: The Cost of Underpreparedness to Your Business

U.S. authorities as part of an international law enforcement operation announced Monday morning that they had seized dark web infrastructure of the BlackCat ransomware-as-a-service group (see: FBI Seizes BlackCat Infrastructure; Group Has New Domain).

The Russian-speaking group established a new dark web leak site and replaced the FBI seizure notice on its previous leak site with a Russian-language note. "This website has been unseized," it declared. In the note, the ransomware gang said that no targets are now off limits, except those inside the Commonwealth of Independent States, a Russia-dominated association roughly compromised of countries formerly part of the Soviet Union.

"You can now block hospitals, nuclear power plants, anything, anywhere," the site said, according to machine translation.

BlackCat, also known as Alphv, was able to substitute its own notice for the FBI seizure notice because the gang likely preserved a copy of the public-private key associated with that dark web domain. Domain name resolution for .onion sites - websites accessible through the Tor network - isn't similar to the hierarchical system of the open web.

"There isn't a central location. It's all based on who has the key pair, and the way the protocol works is whichever server is the most recent to have the key pair is the one that the traffic gets redirected to," said Allan Liska, a ransomware expert at Recorded Future. "They didn't 'unseize' it in the way that they're using the term." Law enforcement still should have possession of the original server.

The FBI told Information Security Media Group it has no further comment on today's events beyond the Justice Department press release.

The ransomware actors were able to retain the public-private key pair in advance of their server's seizure likely because of leaks about the law enforcement operation, Liska told ISMG (see: Ransomware Group Offline: Have Police Seized Alphv/BlackCat?).

Brett Callow, a threat analyst at Emsisoft, called BlackCat's posted note a "tactical error" that could alienate affiliates - the hackers who work on commission to spread the group's malware. "If Cyber Command weren't looking at them before, they certainly are now, and declarations like this make them public enemy number one." Sensible affiliates will distance themselves from BlackCat, he added, despite the group's offer to decrease its take from extortion payments down to 10%.

BlackCat earlier offered affiliates a sliding scale of between 80% and 90% of the extortion money depending on the extortion amount, said cyberthreat intelligence firm Mandiant. The firm said it has already spotted actors affiliated with LockBit, another high-profile Russian-speaking ransomware-as-a-service group, apparently attempting to gain market share by appealing to BlackCat "affiliates and offering to post data from victims who were in the negotiation process with Alphv."

As of publication, the FBI has restored its seizure notice on the BlackCat leak site.

About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.