Blue flasher on police car at night showing law enforcement operation on ransomware gang

BlackCat Ransomware Gang Recovers From Early December Law Enforcement Operation, Restores Websites Seized by DOJ

Ransomware gangs that get too big for their britches have been finding themselves targeted by joint law enforcement operations headed up by the US Department of Justice (DOJ) over the last two years, and in early December it appeared that BlackCat/ALPHV was the latest to overstep its bounds in this way as its public-facing websites were seized. The group has since “re-seized” the sites, however, and made promises of wide-ranging retaliation.

Some security experts that follow the group believe that this may still be the beginning of the end for BlackCat. Law enforcement reportedly obtained access to the spaces affiliates use, something that is likely to spook many of them into switching to other ransomware-as-a-service (RaaS) providers. With enough of a drop in business, BlackCat might be prompted to scuttle the operation and regroup under a new brand name.

Ransomware gang rattled, but recovers its Tor sites

The Tor website that BlackCat uses to name-and-shame its ransomware victims became inaccessible on December 7, something that the group initially tried to claim was a technical problem. About a week and a half later, a standard DOJ website seizure notification appeared to visitors and the agency confirmed that a law enforcement operation had taken place.

BlackCat has since taken back at least partial control of its Tor site. A “this website has been unseized” graphic has appeared along with a rant in Russian promising revenge and notifying affiliates that previously “off-limits” targets, such as hospitals and nuclear power plants, can now be attacked. That prohibition on hospitals does not appear to have ever been taken very seriously as multiple health care facilities have been hit by the ransomware gang in the past year, including two separate attacks on major service provider Henry Schein (the most recent of which took place in late November).

The group may not be left with enough affiliates to undertake this rampage of revenge, however. The law enforcement operation did considerable damage, penetrating the affiliate panels that the group’s clientele use to communicate with the ransomware gang and obtain tools and assistance. They were also able to obtain nearly a thousand Tor public/private key pairs that provide access to storage vaults that hold stolen victim data. Some security experts believe this will spook most of their customers into moving to another RaaS provider. The DOJ also provided a free ransomware recovery tool, though BlackCat claims this will only work for about 400 of the more recent of its roughly 3,000 victims.

The ransomware gang also does not appear to have full control of its Tor site, as the DOJ seizure page continues to reappear sporadically. Security analyst Allan Liska notes that the group simply used a Tor signing key to re-assign the address to a new server, indicating the DOJ is still in control of all of the assets the law enforcement operation initially seized.

Chris Grove, Director of Cybersecurity Strategy for Nozomi Networks, cautions that the group remains a serious threat even if it is presently diminished in capacity: “Given ALPHV’s new stance, there is a real possibility of an increase in cyberattacks on critical infrastructure. Organizations operating critical infrastructure should be on heightened alert, as these developments could re-awaken a dormant phase in cybercriminal tactics where CI is fair play.

Although this group’s operations are degraded, they might act out of desperation to maintain their image as a safe system for hackers to leverage for their criminal activities. In a short period of time they’ve been able to pull in $300 Million to fund these types of operations, something they will fight for at the expense of our society’s safety and peace … In terms of what happens next, it’s likely a cat-and-mouse game between law enforcement and members of this particular ransomware gang. From Darkside/DarkMatter to REvil to BlackCat and its affiliates, there are ongoing operations to dismantle the group’s network. It is also a signal to the cyber community that law enforcement is actively pursuing leads and looking to prevent further attacks.”

DOJ-led law enforcement operation may unravel BlackCat due to lack of affiliate trust

Though BlackCat is far from out of business at this point, this may well be an indicator of the group’s imminent retirement. Ransomware gangs generally fold and regroup under a new brand name that is free of baggage when law enforcement operations bring too much heat on them, and a loss of enough affiliate business would likely trigger this move.

A DOJ warrant revealed that the group was initially penetrated by a turncoat affiliate that agreed to act as an informant and handed over login access, something that is also very likely to turn business away to more stable ransomware gangs. BlackCat has clearly been rattled by the law enforcement operation, promising affiliates that they can keep 90% of their ransomware payments (65% to 85% is a more standard cut) and offering its longtime “VIP” clients a special protected data center isolated from all other operations. Other major players in the ransomware game, such as LockBit, are already making overtures; not just to potentially disgruntled clients, but also to ALPHV coders who might want to jump ship.

While the group may struggle with attracting and retaining affiliates, to truly put a ransomware gang out of business one must arrest its central operators. The law enforcement operation does not appear to have made any progress on this front as of yet; the US government is maintaining a $10 million reward offer for any information that leads to the arrest of BlackCat/ALPHV’s central figures. ALPHV’s own lineage demonstrates how actors from major threat groups tend to emerge after a short period in other major threat groups: its members are thought to have started out with the Darkside group that famously targeted US critical infrastructure in 2021, moving from there to the BlackMatter group after international pressure was turned up. The BlackMatter group is thought to have scattered and reformed as BlackCat/ALPHV after a 2022 law enforcement operation nabbed several of its members.

Ryan McConechy, CTO of Barrier Networks, notes that this is nevertheless another substantial victory for general cybersecurity: “This takedown is a huge win for law enforcement and it highlights the force the FBI is using to target cybercriminals. In the last year, BlackCat has been behind some of the biggest attacks in history, with its affiliates suspected to be behind the devastating attack on MGM Casinos. Given the publicity this attack received and the money it costs MGM, it’s not all that surprising that law enforcement has targeted the gang. When cybercriminals carry out this level of destruction, they will always face repercussions. While today is undoubtedly a big win for defenders, other ransomware gangs still exist, so defences must still be the number one priority. This involves using strong, unique passwords, implementing MFA and Zero Trust principles, using Privileged Access Management (PAM) to protect key accounts, deploying layered security to prevent lateral movement, and training employees regularly on phishing and cybercrime.”

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, agrees with this assessment: “This is great news. Yet another ransomware purveyor disrupted. Even better, it’s the second most popular ransomware gang and the FBI is proactively helping victims with a decryption tool. I didn’t see where they identified any of the ransom hackers, and even so they are likely just to reform under another name. Still, anytime the good guys can disrupt the bad guys it’s a great day for all that is good.”

Dr Ilia Kolochenko, CEO and Chief Architect at ImmuniWeb, cautions that the fight will not be over as long as ransomware groups have “safe harbor” countries to hide away in: ” … disruption of cybercrime’s infrastructure and selective arrests of identifiable cyber gang members is rarely sufficient. For example, a considerable number of seized hacking forums or marketplaces resurrected a few weeks after the seizure under a similar or new identity. Amid the global geopolitical uncertainty, many cybercrime groups safely operate from non-extraditable jurisdictions in absolute impunity. Payments of ransoms in cryptocurrencies – despite the several successful seizures of bitcoins that happened earlier this year – remain largely untraceable and immune to seizure. While somewhat utopic, unless nation-states manage to hammer out a truly global convention against cybercrime that would be ratified by all UN member states, the battle against organized cybercrime will be like fighting an immortal hydra.”