The US government on Tuesday announced the disruption of the notorious BlackCat ransomware-as-a-service operation and released a decryption tool to help organizations recover hijacked data.
The Justice Department said the disruption of BlackCat, also called ALPHV or Noberus, included website takedowns and a new FBI decryption tool to help hundreds of organizations retrieve and restore data.
The agency said the FBI decryptor has been used by dozens of victims in the United States and internationally, saving ransom demands totaling approximately $68 million.
“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime,” the agency said.
According to a search warrant unsealed today in the Southern District of Florida, law enforcement officials infiltrated the group for several months and used confidential informants to peek at the inner workings of the operation and seized several websites that the group operated.
Over the past 18 months, the agency said BlackCat/ALPHV has emerged as the second most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world.
The Justice Department said the BlackCat gang hacked into computer networks across the United States and worldwide, including at US critical infrastructure installations.
Victims include government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities – as well as other corporations, government entities, and schools.
The government documented how BlackCat actors used affiliates to exfiltrate or steal sensitive data, then demanding ransom payments in exchange for decrypting the victim’s system and not publishing the stolen data.
“BlackCat actors attempt to target the most sensitive data in a victim’s system to increase the pressure to pay,” the Justice Department said, noting that the gangs use leak sites on darkweb sites to publicize their attacks.
Earlier this month, the dedicated Tor-based leak website affiliated with BlackCat disappeared from view in what was believed to be a law enforcement operation.