Cybersecurity and data protection concept image.
Image: Adobe/igor.nazlo

On Dec. 19, the Department of Justice announced the FBI had been working on a disruption campaign against the ransomware group known as ALPHV, Noberus or BlackCat that resulted in the seizure of several of the group’s websites, visibility into their network and a decryption tool that could restore stolen data. International law enforcement agencies from Australia, Denmark, Germany, Spain and the U.K. participated.

Jump to:

What is ALPHV/BlackCat?

ALPHV/BlackCat is a group that has been known for ransomware since 2021. Their ransomware, called by the same name, is written in the Rust programming language. Its ability to customize for different operating systems makes it viable against a wide range of targets. ALPHV/BlackCat operates ransomware-as-a-service, selling its services and running an advertiser ecosystem around them.

“Recent developments have seen the continuation of the ‘cat and mouse’ game between the actor and law enforcement, with an ongoing reseizure of the infrastructure and further threats from the group to remove ‘rules’ on the usage of the ransomware, allowing affiliates to attack hospitals and power plants,” said Simpson.

“We’ve also seen other prolific ransomware groups such as LockBit capitalizing on the disruption to entice former BlackCat members into their operations,” stated Simpson. “This exemplifies the complexity of the ransomware landscape and the challenges inherent in trying to fully wipe out ransomware threats.”

Ransomware group investigated and site temporarily closed by international law enforcement

On Dec. 19, BlackCat’s leak site on the dark web was seized and closed; however, by the evening of Dec. 19, the ransomware group had “unseized” the site, and ownership of it had become a tug-of-war between the threat actors and the authorities.

The FBI is offering a decryption tool to over 500 victims. So far, organizations have been saved from having to pay about $68 million in ransom demands.

SEE: A new social engineering threat targets recruiters by posing as interested candidates (TechRepublic)

Removing BlackCat’s fangs and its websites would mean the ransomware group would be able to steal less data in the first place and would lose its marketplace for selling that data to black-market buyers.

One of BlackCat’s websites was the “general collection,” which was a searchable database of the stolen data.

“The takedown of the BlackCat/Alphv ransomware operation is a major development in the cybercriminal underground,” said Jim Simpson, director of threat intelligence at Searchlight Cyber, in an email comment provided to TechRepublic. “The (ransomware-as-a-service) group is one of the most prolific and destructive that we track, applying double extortion and even going a step further than other groups by applying pressure on its victims through its ‘general collection.'”

BlackCat reportedly “unseizes” website

On Dec. 19, Bleeping Computer reported BlackCat’s dark web site had a new message: The website had been “unseized.” BlackCat relaxed most of its rules, specifically outlawing attacks against critical infrastructure or hospitals. The group’s remaining rule is that it will not support attacks against the Commonwealth of Independent States, which is a coalition of former Soviet Union nations, including Russia.

How to protect against ransomware-as-a-service

In order to prevent large-scale ransomware attackers from gaining a foothold in business systems, organizations should follow security best practices regarding preventing malicious code execution. The following tips can help organizations avoid ransomware-as-a-service attacks:

  • Keep systems up to date.
  • Keep an eye on cloud assets and potential vulnerabilities.
  • Deploy multi-factor authentication.
  • Audit credentials.
  • Segment account information.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday