Security News Law Enforcement Behind Takedown of BlackCat/Alphv Website

[vtqhtr413]

Content source

https://www.securityweek.com/law-enforcement-reportedly-behind-takedown-of-blackcat-alphv-ransomware-website/

The Tor-based BlackCat/Alphv leak site has been inaccessible since December 7. Threat intelligence company RedSense reported the following day that the website was taken down by law enforcement. In an update on Sunday, the company said, “RedSense Chief Research Officer Yelisey Bohuslavkiy confirms that the threat actors, including BlackCat’s affiliates and initial access brokers, are convinced that the shutdown was caused by a law enforcement action.” He specifies that other ransomware leadership from the top-tier groups directly related to AlphV also confirm this: specifically admins and team leads of Royal/BlackSuit, BlackBasta, LockBit, and Akira,” the company added.

RedSense also learned that the cybercriminals expect everything to be restored soon, which suggests that the impact on their operation and infrastructure was limited. At the time of writing, the BlackCat website has been down for four days. SOC company ReliaQuest pointed out that the group’s site does have a history of connectivity issues and outages. However, this seems to be one of the longest — if not the longest — downtime. No law enforcement agency appears to have released information about an operation targeting BlackCat. Following the shutdown of the Hive ransomware in January 2023, BlackCat said such a takedown effort would not work against its operation.

 

[vtqhtr413]

The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operation's servers to monitor their activities and obtain decryption keys. On December 7th, BleepingComputer first reported that the ALPHV, aka BlackCat, websites suddenly stopped working, including the ransomware gang's Tor negotiation and data leak sites. While the ALPHV admin claimed it was a hosting issue, BleepingComputer learned it was related to a law enforcement operation.

Today, the Department of Justice confirmed our reporting, stating that the FBI conducted a law enforcement operation that allowed them to gain access to ALPHV's infrastructure. With this access, the FBI silently monitored the ransomware operation for months, siphoning decryption keys and sharing them with over 500 victims so that they did not have to pay a ransom for a decryptor.

The FBI says they have created a decryption tool to allow other victims to recover their files for free. Impacted companies should contact their local FBI field office for information on how to gain access to the decryptor. "The FBI developed a decryption tool that allowed FBI field offices across the country and law enforcement partners around the world to offer over 500 affected victims the capability to restore their systems," announced the Department of Justice.

FBI disrupts Blackcat ransomware operation, creates decryption tool

The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operation's servers to monitor their activities and obtain decryption keys.

www.bleepingcomputer.com

An FBI search warrant unsealed Tuesday in the Southern District of Florida revealed that the FBI had help from a “confidential human source” in penetrating the AlphV/Blackcat ransomware gang’s network. The unsealed warrant does not detail the full extent of the FBI investigation into the ransomware gang, but reveals that as part of it the agency brought in a confidential human source “who routinely provides reliable information related to ongoing cybercrime investigations.”

The source was able to help by responding to a public advertisement the ransomware gang had posted for potential affiliates, and — after being interviewed by the criminals to determine their “technical proficiency with network intrusion” — was given access credentials for the Blackcat’s affiliate system using a unique .onion address. Law enforcement was subsequently able to access the affiliate panel itself, pursuant to a separate federal search warrant, where they investigated how the system operated.

FBI warrant reveals ‘confidential source’ helped AlphV/Blackcat ransomware takedown

An FBI search warrant unsealed Tuesday in the Southern District of Florida revealed that the FBI had help from a “confidential human source” in penetrating the AlphV/Blackcat ransomware gang’s network.

therecord.media

 

[vtqhtr413]

BlackCat "unseizes" data leak site​

Tuesday afternoon, the ransomware operation "unseized" their data leak site to regain control of the URL and claimed that the FBI gained access to a data center they were using to host servers. As both the ALPHV operators and the FBI now control the private keys used to register the data leak site's onion URL in Tor, they can go back and forth, seizing the URL from each other, which has been done throughout the day.

As part of ALPHV's unseizure message, the gang announced the launch of a new Tor URL for their data leak site that the FBI does not have the private keys for and thus cannot seize. BleepingComputer has purposely redacted this URL from the image above. The ransomware gang claimed that the FBI only gained access to decryption keys for the last month and a half, which is about 400 companies. However, they said 3,000 other victims will now lose their keys.

The operation also said they are removing all restrictions from their affiliates, allowing them to target any organization they wish, including critical infrastructure. Affiliates are still restricted from attacking countries in the Commonwealth of Independent States (CIS), which were previously part of the Soviet Union.
Finally, the ransomware operation has increased the affiliates revenue share to 90% of a paid ransom, likely to convince them from switching to a competing ransomware-as-service. The full machine-translated statement is shared below:

"As you all know, the FBI got the keys to our blog, now we'll tell you how it was.
First, how it all happened, after examining their documents, we understand that they gained access to one of the DC, because all the other DC were untouched, it turns out that they somehow hacked one of our hosters, maybe even he himself helped them.
The maximum that they have is the keys for the last month and a half, it's about 400 companies, but now more than 3,000 companies will never receive their keys because of them.
Because of their actions, we are introducing new rules, or rather removing ALL the rules except one, you can not touch the CIS, you can now block hospitals, nuclear power plants, anything and anywhere.
The rate is now 90% for all adverts.
We do not give any discounts to companies, payment is strictly the amount that we specified.
VIP advertisers receive their private affiliate program, which we raise only for them, on a separate DC, completely isolated from each other.
Thank you for your experience, we will take into account our mistakes and work even harder, waiting for your whining in chat rooms and requests to make discounts that no longer exist."

FBI disrupts Blackcat ransomware operation, creates decryption tool

The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operation's servers to monitor their activities and obtain decryption keys.

www.bleepingcomputer.com

Blackcat - also known as ALPHV or Noberus - is accused of working with the prolific hacking gang known as "Scattered Spider," which has terrorized major businesses including MGM Resorts International and Caesars Entertainment. There was no mention of arrests or of action against Scattered Spider, a group believed by security researchers to be composed at least in part of young, native English speakers mainly from Western countries. The group has acted as the sharp end of the spear for Blackcat, seeding data-scrambling software on victims' devices which can typically only be removed following a massive ransom payment.

US officials seize extortion websites; ransomware hackers vow more attacks

Blackcat - also known as ALPHV or Noberus - is accused of working with the prolific hacking gang known as "Scattered Spider," which has terrorized major businesses including MGM Resorts International and Caesars Entertainment.

economictimes.indiatimes.com