The U.S. Justice Department (DoJ) has officially dismantled the notorious BlackCat ransomware operation, presenting a decryption tool to over 500 victims to recover their files encrypted by the malicious software. Court documents reveal that the U.S. Federal Bureau of Investigation (FBI) employed a confidential human source (CHS) to act as an affiliate for BlackCat, infiltrating the gang’s web panel used to manage victims—an unprecedented case of hacking the hackers.
Joint Law Enforcement Efforts End BlackCat
The collaborative effort extended across borders, with law enforcement agencies from the U.S., Germany, Denmark, Australia, the U.K., Spain, Switzerland, and Austria joining forces to combat the global menace. BlackCat, also known as ALPHV, GOLD BLAZER, and Noberus, emergeded in December 2021, swiftly rising to become the second most prolific ransomware-as-a-service variant globally, following LockBit. Notably, it marked the first appearance of a Rust-language-based ransomware strain in the wild.
Speculations about a law enforcement action gained momentum when BlackCat’s dark web leak portal went offline on December 7, only to resurface five days later with a solitary victim. The FBI, collaborating with numerous U.S. victims, successfully implemented the decryptor, thwarting ransom demands totaling approximately $68 million. Moreover, the agency gained insights into the ransomware’s network, collecting 946 public/private key pairs used to host TOR sites operated by the group, leading to their dismantling.
A critical aspect of the operation is the revelation of the unique key pairs generated when creating a hidden service on the TOR anonymization network. BlackCat, like other ransomware groups, employed a ransomware-as-a-service model with core developers and affiliates. These affiliates, responsible for identifying and targeting high-value victims, utilized various methods, including compromised user credentials, for initial access.
BlackCat Victims Include More Than 1,000
Financially motivated, BlackCat is estimated to have compromised over 1,000 victims worldwide, accumulating illegal revenues nearing $300 million as of September 2023. Following the takedown, rival groups like LockBit seized the opportunity, actively recruiting displaced affiliates and offering their data leak site for victim negotiations.
In response to the crackdown, a BlackCat spokesperson claimed the group had moved servers and blogs, dismissing law enforcement’s access as limited to an outdated key for an old blog site. Despite this, the FBI’s intervention triggered a series of events, prompting the group to “unseize” its main leak site using cryptographic keys, greenlighting affiliates to infiltrate critical infrastructure, and issuing retaliatory measures against the Commonwealth of Independent States (CIS). The FBI, however, swiftly re-seized the website.
Reflecting on the situation, a LockBit administrator acknowledged the unfortunate circumstances, highlighting security loopholes as a primary threat to their business.