Fraud Management & Cybercrime , Ransomware
FBI Seizes BlackCat Infrastructure; Group Has New Domain
Agency Developed a Tool to Decrypt the Systems of More Than 500 VictimsUpdate Dec. 19, 2023 18:19 UTC: The BlackCat ransomware as a service gang apparently reclaimed a dark web leak site taken over by the U.S. federal authorities, substituting a seizure notice from the FBI with a new notice claiming that "this website has been unseized."
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
A Russian-language missive states, according to machine translation, that U.S. authorities likely hacked the group's dark website host. Information Security Media Group has asked the U.S. Department of Justice and the FBI for comment and will update if they respond.
Update Dec. 19, 2023 19:09 UTC: The FBI said it had no additional comment beyond this morning's statement from the Department of Justice.
Update Dec. 19, 2023 21:12 UTC: Read our updated coverage here.
Original story is below.
U.S. authorities seized dark web infrastructure of the BlackCat ransomware-as-a-service group although the Russian-speaking threat actor said it has reestablished operations.
The data leak site of the ransomware group, also known as Alphv, as well as its Tox peer-to-peer instant messaging account, went offline Dec. 7, prompting speculation of a law enforcement operation (see: Ransomware Group Offline: Have Police Seized Alphv/BlackCat?).
Security researchers said BlackCat has listed more than 650 victims on its data leak site since launching in late 2021 as a spinoff of the now-defunct Conti ransomware group. Victims include operators of U.S. critical infrastructure. In March, it leaked images of breast cancer patients disrobed from the waist up stolen from a Pennsylvania-based healthcare group (see: BlackCat Leaking Patient Data and Photos Stolen in Attack).
As part of the seizure operation, the FBI developed a decryption tool that could decrypt the systems of more than 500 victims, the U.S. Department of Justice said.
A BlackCat representative downplayed the seizure, according to a screenshot of a conversation with vx-underground stating that the FBI had "a stupid old key from an old blog." An apparent new leak site with a handful of listings dated as recently as Monday is active.
A court filing shows the FBI had infiltrated the ransomware operator through a confidential informant who posed as an affiliate. Through the informant, the FBI was able to download 946 BlackCat victim communication sites, leak sites and affiliate panels accessible through the Tor network.
The ransomware group has recently embraced a new tactic to pressure victims into paying. It now says it will inform U.S. federal regulators about a ransomware infection unless it receives an extortion payment. As of Monday, publicly traded U.S. large and medium-sized companies must disclose most "material cybersecurity incidents" within four business days of determining materiality (see: SEC Votes to Require Material Incident Disclosure in 4 Days).).
Security researchers believe that BlackCat began as a reboot of a notorious group known as BlackMatter, which was itself a rebrand of DarkSide. BlackMatter announced in November 2021 that it was shutting down.
The U.S. government fingered DarkSide for a 2021 ransomware attack on Colonial Pipeline that disrupted the gasoline supply in the southeastern United States. DarkSide shut down operations after saying in May 2021 that it had lost access to the public part of its infrastructure. The Justice Department in June 2021 seized nearly 64 bitcoins that Colonial Pipeline had used to pay a ransom.