Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

BlackCat Strikes Back: Ransomware Gang “Unseizes” Website, Vows No Limits on Targets

The BlackCat/Alphv ransomware group is dealing with the government operation that resulted in website seizures and a decryption tool.

BlackCat ransomware

The BlackCat ransomware group, also known as Alphv, has started taking action in response to the recently announced law enforcement operation that involved website seizures and the release of a decryption tool.

BlackCat’s Tor-based leak website became inaccessible on December 7, sparking theories that the cybercrime operation may have been targeted by law enforcement

While the hackers initially described the outage as the result of a hardware failure, the US government confirmed on Tuesday that a law enforcement operation supported by several allies was responsible for the seizure of several websites used by BlackCat.

The Justice Department said the ransomware group targeted more than 1,000 entities, but through its recent efforts it managed to create a decryption tool that could help more than 500 victims restore their systems without paying a ransom.

After the disruption efforts came to light and an image announcing the seizure was posted on BlackCat’s main Tor-based website, the hackers apparently retook control of the site, posting a message saying it had been “unseized”.

The cybercriminals announced setting up a new leak website, which currently displays the names of six alleged victims. In addition, they posted a message in Russian describing the steps they are taking in retaliation. 

The group said only CIS countries, which includes Russia and some of its neighbors, are now off limits, with affiliates being allowed to target any type of organization in any other country, including nuclear power plants and hospitals. The group previously vowed not to target hospitals and emergency services. 

The cybercriminals also attempted to downplay the impact of the law enforcement operation, saying that only decryption keys for the last month and a half were obtained, which can be used by roughly 400 companies, but said more than 3,000 other victims will never be able to recover files. In addition, they will stop offering victims any discounts on the ransom amount. 

Recorded Future’s ransomware expert Allan Liska highlighted that the hackers haven’t actually “unseized” their website. Instead, they possess a signing key that enables them to assign the .onion address to a new server. Both the cybercriminals and the FBI appear to have the key and in the past 24 hours they have taken turns controlling what is displayed on the domain previously used by BlackCat to name and shame victims. 

Advertisement. Scroll to continue reading.

The hackers claimed that, based on the information made public by the Justice Department, authorities gained access to only one of their data centers, either by hacking the hosting provider or by getting it to help out. 

A warrant shows that investigators obtained — with the help of an informant who applied to an ad for a BlackCat affiliate position — credentials giving them access to panels used by affiliates and developers to communicate and manage attacks. 

As part of the operation, law enforcement obtained 946 Tor public/private key pairs giving them access to victim communication sites, sites hosting stolen victim data, and affiliate panels.

The news of law enforcement accessing affiliate panels could drive away many of the BlackCat affiliates. In an effort to prevent an exodus, the cybercriminals announced that affiliates will be allowed to retain 90% of the ransom payments they get, with ‘VIP’ affiliates being offered a private program on separate, isolated data centers.

“We expect some affiliates will continue their intrusions as normal, but they will likely try to establish relationships with other RaaS programs for encryption, extortion, and victim shaming support,” said Charles Carmakal, Mandiant Consulting CTO, Google Cloud.

Security expert Will Thomas also believes affiliates will switch to LockBit and other ransomware-as-a-service operations, and predicts that BlackCat will likely take a break and rebrand. 

Indeed, LockBit has even invited BlackCat ransomware developers to collaborate on source code.  

The US government is offering up to $10 million in rewards for information on BlackCat operators or their affiliates. 

Related: US Announces IPStorm Botnet Takedown and Its Creator’s Guilty Plea

Related: Technical, Legal Action Taken to Prevent Abuse of Cobalt Strike, Microsoft Software

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.

Ransomware

Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.

Ransomware

Johnson Controls has confirmed being hit by a disruptive cyberattack, with a ransomware group claiming to have stolen 27Tb of information from the company.