FBI hacks big ransomware gang Blackcat, restores victims’ systems
The US Justice Department has announced a disruption campaign against the Blackcat ransomware group — also known as ALPHV or Noberus — that targeted computer networks of more than 1,000 victims, including networks that support US critical infrastructure.
The FBI developed a decryption tool that allowed its field offices across the country and law enforcement partners around the world to offer over 500 affected victims the capability to restore their systems.
To date, the FBI has worked with dozens of victims in the US and internationally to implement this solution, saving multiple victims from ransom demands worth approximately $68 million.
The FBI also gained visibility into the Blackcat ransomware group’s computer network as part of the investigation and has seized several websites that the group operated.
“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” said Deputy Attorney General Lisa O. Monaco.
“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online,” Monaco said in a statement.
However, a report in Bleeping Computer said that Blackcat claimed to have regained control of its site and that the FBI only had decryption keys for 400 or so companies, leaving more than 3,000 victims whose data remains encrypted.
The gang also reportedly said that it was no longer restricting affiliates using its ransomware software from attacking critical infrastructure, including hospitals and nuclear power plants.
“The FBI continues to be unrelenting in bringing cybercriminals to justice and determined in its efforts to defeat and disrupt ransomware campaigns targeting critical infrastructure, the private sector, and beyond,” said FBI Deputy Director Paul Abbate.
According to the unsealed warrant, Blackcat actors have compromised computer networks in the US and worldwide.
The disruptions caused by the ransomware variant have affected US critical infrastructure — including government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities — as well as other corporations, government entities, and schools.
Blackcat uses a ransomware-as-a-service model in which developers are responsible for creating and updating ransomware and for maintaining the illicit internet infrastructure.