The law enforcement agencies led by the FBI have disrupted the infrastructure of the world’s second most prolific ransomware gang.
The ransomware gang it disrupted is tracked as ALPHV, BlackCat, and Noberus. Authorities shut down several of ALPHV’s technical assets, including multiple malicious websites, in collaboration with law enforcement agencies from Australia, Austria, Denmark, Spain, Switzerland, and the U.K.
ALPHV is a ransomware-as-a-service group. It doesn’t launch cyberattacks directly but rather develops ransomware and sells it to “affiliates” that use malicious software to breach organizations’ networks.
This particular threat actor is believed to have infected more than 1,000 organizations, including government agencies, critical manufacturers, healthcare providers, and schools, to name a few. The FBI estimates that the cyberattacks incurred hundreds of millions of dollars in costs related to ransomware payments, breach remediation efforts, and the theft of proprietary data.
The FBI reportedly gained access to ALPHV’s computer network by recruiting a confidential human source close to the hackers. Previously, the U.S. Department of State announced that it would reward people for information about ALPHV. According to the FBI, the source close to ALPHV provided officials with credentials that they used to log into the ransomware gang’s network.
Officials gained access to the group’s affiliate panel, a software tool it used to coordinate cyberattacks with affiliates. The panel displayed technical data on the systems of an organization targeted in a ransomware attack.
After gaining access to ALPHV’s network, authorities took down a number of malicious websites in the Tor network used by the ransomware gang to support its activities.
The FBI obtained the keys to ALPHV’s websites after gaining access to its network. Additionally, the agency released a tool that organizations can use to decrypt information scrambled by ALPHV ransomware. The FBI and its law enforcement partners so far provided the tools to more than 500 victims, helping them avoid an estimated $68 million in ransom payments.
The statement by ALPHV/BlackCat was posted to its leak site that had been offline since December 8, when it is believed to have been shuttered by law enforcement. On Tuesday, ALPHV/BlackCat’s previously shuttered site briefly displayed an FBI seizure notice. Within hours, however, the site then displayed a note by the ransomware group claiming the site had been “unseized.”
In a statement, written in the Russian language, the threat actors stated, “Because of their actions, we are introducing new rules, or rather, we are removing ALL rules, except one, you cannot touch the critical infrastructure sectors, you can now block hospitals, nuclear power plants, anything, anywhere.”
