In a significant blow against cybercrime, the United States Department of Justice announced the successful disruption of the BlackCat ransomware operation. The FBI led this operation, collaborating with law enforcement agencies from the United States and several countries, including Germany, Denmark, Australia, the United Kingdom, Spain, Switzerland and Austria.
The operation involved the collaboration of a confidential human source (CHS), who acted as an affiliate of the BlackCat group to gain access to the web panel used to manage ransomware victims. BlackCat, also known as ALPHV, GOLD BLAZER and Noberus, had emerged in December 2021 and had become the second most prolific ransomware-as-a-service variant in the world.
The joint action allowed the FBI to seize control of the ransomware and dismantle the TOR sites operated by the group. Additionally, a free decryption tool was released that more than 500 affected victims can use to regain access to files locked by the malware.
Importantly, BlackCat used a ransomware-as-a-service model, involving both core and affiliate developers. These affiliates, renting the payload, were responsible for identifying and attacking high-value victim institutions. The group also employed the double extortion scheme, exfiltrating sensitive data before encryption to pressure victims to pay ransoms.
It is estimated that the financially motivated actor compromised the networks of more than 1,000 victims around the world, generating illegal income of almost $300 million until September 2023.
The FBI worked closely with dozens of victims in the US to deploy the decryptor, avoiding ransom demands totaling around $68 million. In addition, valuable information was obtained about the ransomware’s computer network.
Despite these successes, rival groups such as LockBit are seen capitalizing on the situation, actively recruiting displaced members and offering their services to victims. BlackCat, for its part, has attempted to resist the blow, moving servers and blogs, but authorities have continued to take measures to contain any remaining activity.
