The BlackCat ransomware group, also known as Alphv, has started taking action in response to the recently announced law enforcement operation that involved website seizures and the release of a decryption tool.
BlackCat’s Tor-based leak website became inaccessible on December 7, sparking theories that the cybercrime operation may have been targeted by law enforcement.
While the hackers initially described the outage as the result of a hardware failure, the US government confirmed on Tuesday that a law enforcement operation supported by several allies was responsible for the seizure of several websites used by BlackCat.
The Justice Department said the ransomware group targeted more than 1,000 entities, but through its recent efforts it managed to create a decryption tool that could help more than 500 victims restore their systems without paying a ransom.
After the disruption efforts came to light and an image announcing the seizure was posted on BlackCat’s main Tor-based website, the hackers apparently retook control of the site, posting a message saying it had been “unseized”.
The cybercriminals announced setting up a new leak website, which currently displays the names of six alleged victims. In addition, they posted a message in Russian describing the steps they are taking in retaliation.
The group said only CIS countries, which includes Russia and some of its neighbors, are now off limits, with affiliates being allowed to target any type of organization in any other country, including nuclear power plants and hospitals. The group previously vowed not to target hospitals and emergency services.
The cybercriminals also attempted to downplay the impact of the law enforcement operation, saying that only decryption keys for the last month and a half were obtained, which can be used by roughly 400 companies, but said more than 3,000 other victims will never be able to recover files. In addition, they will stop offering victims any discounts on the ransom amount.
Recorded Future’s ransomware expert Allan Liska highlighted that the hackers haven’t actually “unseized” their website. Instead, they possess a signing key that enables them to assign the .onion address to a new server. Both the cybercriminals and the FBI appear to have the key and in the past 24 hours they have taken turns controlling what is displayed on the domain previously used by BlackCat to name and shame victims.
The hackers claimed that, based on the information made public by the Justice Department, authorities gained access to only one of their data centers, either by hacking the hosting provider or by getting it to help out.
A warrant shows that investigators obtained — with the help of an informant who applied to an ad for a BlackCat affiliate position — credentials giving them access to panels used by affiliates and developers to communicate and manage attacks.
As part of the operation, law enforcement obtained 946 Tor public/private key pairs giving them access to victim communication sites, sites hosting stolen victim data, and affiliate panels.
The news of law enforcement accessing affiliate panels could drive away many of the BlackCat affiliates. In an effort to prevent an exodus, the cybercriminals announced that affiliates will be allowed to retain 90% of the ransom payments they get, with ‘VIP’ affiliates being offered a private program on separate, isolated data centers.
“We expect some affiliates will continue their intrusions as normal, but they will likely try to establish relationships with other RaaS programs for encryption, extortion, and victim shaming support,” said Charles Carmakal, Mandiant Consulting CTO, Google Cloud.
Security expert Will Thomas also believes affiliates will switch to LockBit and other ransomware-as-a-service operations, and predicts that BlackCat will likely take a break and rebrand.
Indeed, LockBit has even invited BlackCat ransomware developers to collaborate on source code.
The US government is offering up to $10 million in rewards for information on BlackCat operators or their affiliates.