FBI Takes Down BlackCat Ransomware

FBI Takes Down BlackCat Ransomware

The U.S. Justice Department (DoJ) has officially announced the disruption of the BlackCat ransomware operation and released a decryption tool that more than 500 affected victims can use to regain access to files locked by the malware.

Court documents show that the U.S. Federal Bureau of Investigation (FBI) enlisted the help of a confidential human source (CHS) to act as an affiliate for the BlackCat group and gain access to a web panel used for managing the gang’s victims, in what’s a case of hacking the hackers.

The confiscation effort involved collaboration and assistance from multiple law enforcement agencies from the U.S., Germany, Denmark, Australia, the U.K., Spain, Switzerland, and Austria.

BlackCat, also called ALPHV, GOLD BLAZER, and Noberus, first emerged in December 2021 and has since gone on to be the second most prolific ransomware-as-a-service variant in the world after LockBit. It’s also the first Rust-language-based ransomware strain spotted in the wild.

The development puts an end to speculations of a rumored law enforcement action after its dark web leak portal went offline on December 7, only to resurface five days later with just a single victim.

One important thing to note here is that creating a hidden service with the .onion URL on the TOR anonymization network generates a unique key pair comprising a private and public key (aka the identifier) that can be used to access and control the URL.

If anything, the takedown has proven to be a blessing in disguise for rival groups like LockBit, which is already capitalizing on the situation by actively recruiting displaced affiliates, offering its data leak site to resume victim negotiations.

It has also given affiliates the green light to infiltrate critical infrastructure entities such as hospitals and nuclear power plants as well as other targets with the exception of those inside the Commonwealth of Independent States (CIS) as a retaliatory measure. The FBI has since re-seized the website.

In a conversation with vx-underground, a LockBit administrator described the situation as “unfortunate” and that security loopholes in their infrastructure are a primary threat to “my business.”


Source: https://thehackernews.com/