The U.S. Department of Justice has released a decryption tool to combat the effects from the infamous ALPHV/BlackCat ransomware variant. Developed by the FBI, the tool allows more than 500 victims to regain access to their data. However, ALPHV/BlackCat argues that the tool is not as effective as it seems.
The FBI claims to have already bailed out dozens of organizations using the tool. In doing so, the government agency says it has already prevented about $68 million in ransom payments. In addition, the FBI has been able to take down part of the criminal group’s network infrastructure, leading to several websites having been taken down.
Cunning approach to targets
ALPHV/BlackCat is not only very active (only LockBit 3.0 has more victims), but also deals with targets in a cunning way. For example, the gang threatened to take legal action as its own target hadn’t reported the data breach to U.S. authorities quickly enough. They were also responsible for high-profile hacks on MGM casinos in Las Vegas and online platform Reddit.
The group was previously known by several names, including DarkSide (2020-21) and BlackMatter (July-November 2021). In both cases, authorities managed to infiltrate the organization, resulting in a name change for the group and a new ransomware variant having to be created. BleepingComputer reports that the collective has become much more aggressive in its behaviour towards victims in recent years, leading authorities to take quicker action against it.
Now it’s the FBI’s turn again to hack the hackers, as Deputy Attorney General Lisa O. Monaco characterizes the operation against the gang. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”
Multiple national police units are conducting parallel investigations against ALPHV/BlackCat, the U.S. Department of Justice states.
Steven Stone, Head of Rubrik Zero Labs, says the action shows what’s possible with international cooperation to combat cybercrime. “Takedowns force threat actors to reconstitute under new names and rebuild technical infrastructure from scratch – actions that divert significant time and resources away from criminal operations.” He names Qakbot as an example, which took three months to come back after authorities took it down in the so-called Operation Duck Hunt.
Also read: Qakbot still a threat despite its supposed destruction
Is a new ransomware variant needed for ALPHV/BlackCat?
It’s notable that the criminal group got one of the websites seized by the FBI back online. According to ALPHV/BlackCat, the FBI only had access to a datacenter where the servers were hosted. Since Wednesday, the FBI and the gang appear to have been continuously swapping ownership of the website, as both parties have a private key to control the URL in Tor. Stone disputes ALPHV’s assertion that they’re back in control. “Importantly, ALPHV’s claim to have ‘unseized’ their site misunderstands the nature of .onion addresses, which are tied to encryption keys held by site operators. The governmental coalition maintains complete control of ALPHV’s leak site and data.”
ALPHV/BlackCat states that the FBI can only help 400 affected targets with the tool and that 3,000 other organizations have now lost their keys, meaning they will not be able to access their data even after paying a ransom. In addition, the group has stated that its affiliates are now free to attack any organization, provided it’s outside the former Soviet Union. Also, from now on, affiliates will be allowed to keep 90 percent of the ransom money.
Either way, the decryption tool will be a thorn in the gang’s side, as previous actions have already resulted in name changes and the prevention of ransom payments. However, that does not completely eliminate the problem. Company data may still be in the hands of hackers and published eventually.