ALPHV/Blackcat Ransomware Group Fires Back with Escalated Hostility, Following FBI’s Release of New Decryption Tool

When ALPHV/Blackcat’s dark web leak site went offline in early December, it was rumored to have been taken down by law enforcement. The prolific ransomware-as-a-service (RaaS) group uses the site to publish attacks, including stolen data when victims fail to comply with ransom demands. This group was recently reported to be behind the Fidelity National Financial cyberattack that paralyzed the company’s title insurance and mortgage-related services for a week.

The U.S. Justice Department (DoJ) has now officially confirmed that they have disrupted ALPHV/Blackcat, seizing several websites and releasing a new decryption tool developed by the FBI.

The decryption tool has been offered to more than 500 victims around the world and the FBI estimates that it has saved multiple victims from ransom demands totaling approximately $68 million.

More than 1,000 victims have been targeted by Blackcat, including manufacturing and healthcare facilities, schools, companies, and U.S. critical infrastructure. The DOJ encouraged victims who haven’t come forward yet to contact their local FBI office for additional assistance.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” Deputy Attorney General Lisa O. Monaco said. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”

ALPHV/Blackcat “Unseizes” Leak Site, Doubles Down on Threats#

The DOJ may have only temporarily halted Blackcat from continuing on its rampage of extortion, as the group “unseized” its leak site today. Both Blackcat and the FBI now share the private keys associated with the original leak URL. Blackcat is now publishing victims’ data on a new leak URL.

In response to the disruption, the ransomware group asserted that the FBI has only obtained decryption keys for 400 companies and the remaining 3,000 companies will not receive their keys.

In retaliation, Blackcat has toughened its stance, removing all previous rules except for not targeting the CIS (Commonwealth of Independent States), meaning they now permit attacks on hospitals, nuclear plants, and other previously restricted domains. Blackcat has also increased the payout rate for affiliates to 90%, eliminated discounts for companies, and introduced private affiliate programs with isolation from other affiliates, vowing to learn from their mistakes and intensify their operations.

Image source: security researcher Kevin Beaumont on Mastodon

The DOJ’s actions appear to have inflamed the ransomware group, as Blackcat is now offering greater incentives for its affiliates to take more aggressive measures.

This recent disruption has also inspired rival ransomware groups, including LockBit, the most active RaaS group, according to Cisco Talos’ 2023 report. The ReliaQuest research team reported today that a LockBit representative has offered $1 million to any FBI agent who might be working on exposing the group:

“Let me take this opportunity to remind you that I pay $1 million to anyone who tells me my name, including any FBI agent who is leading my development. Surely there are a lot of FBI agents who are working on my search and one of them will want to get a million dollars. Corruption is a terrible force.”

Despite the DOJ’s celebratory announcement this week, Blackcat appears to be resuming its operations, based on its escalation of tactics and ability to continue public communication today.

The FBI was unable to maintain its seizure of the original leak site and the game of cat-and-mouse between the ransomware group and law enforcement continues. This is a developing story.