Connect with us

Hi, what are you looking for?



US Gov Disrupts BlackCat Ransomware Operation; FBI Releases Decryption Tool

The US government announced the disruption of the notorious BlackCat ransomware-as-a-service operation and released a decryption tool to help organizations recover hijacked data.

BlackCat ransomware

The US government on Tuesday announced the disruption of the notorious BlackCat ransomware-as-a-service operation and released a decryption tool to help organizations recover hijacked data.

The Justice Department said the disruption of BlackCat, also called ALPHV or Noberus, included website takedowns and a new FBI decryption tool to help hundreds of organizations retrieve and restore data.

The agency said the FBI decryptor has been used by dozens of victims in the United States and internationally, saving ransom demands totaling approximately $68 million.  

“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime,” the agency said.

According to a search warrant unsealed today in the Southern District of Florida, law enforcement officials infiltrated the group for several months and used confidential informants to peek at the inner workings of the operation and seized several websites that the group operated.

Over the past 18 months, the agency said BlackCat/ALPHV has emerged as the second most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world.  

The Justice Department said the BlackCat gang hacked into computer networks across the United States and worldwide, including at US critical infrastructure installations.

Victims include government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities – as well as other corporations, government entities, and schools.

Advertisement. Scroll to continue reading.

The government documented how BlackCat actors used affiliates to exfiltrate or steal sensitive data, then demanding ransom payments in exchange for decrypting the victim’s system and not publishing the stolen data. 

“BlackCat actors attempt to target the most sensitive data in a victim’s system to increase the pressure to pay,” the Justice Department said, noting that the gangs use leak sites on darkweb sites to publicize their attacks.

Earlier this month, the dedicated Tor-based leak website affiliated with BlackCat disappeared from view in what was believed to be a law enforcement operation. 

Related: Law Enforcement Behind Takedown of BlackCat/Alphv Ransomware Website

Related: ALPHV Ransomware Operators Pressure Victim With Dedicated Leak Site

Related: FBI Shares Information on BlackCat Ransomware Attacks

Related: BlackCat Ransomware Targets Industrial Companies

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.