Soon after it was announced that the FBI had “seized several websites” operated by a ransomware group, the hackers claimed to have regained control.
The FBI reportedly secretly monitored the operations of ransomware gangs for months and was able to help 500 victims recover their files without making any payments. But on Tuesday, one hacking group announced it had “unseized” their data leak site.
“Over the past 18 months, ALPHV/Blackcat has emerged as the second most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world. Due to the global scale of these crimes, multiple foreign law enforcement agencies are conducting parallel investigations,” the Justice Department noted in a press release.
“The FBI developed a decryption tool that allowed FBI field offices across the country and law enforcement partners around the world to offer over 500 affected victims the capability to restore their system,” the press release continued, adding that the FBI “has also gained visibility into the Blackcat ransomware group’s computer network as part of the investigation and has seized several websites that the group operated.”
“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” Deputy Attorney General Lisa O. Monaco said. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”
Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant
— Criminal Division (@DOJCrimDiv) December 19, 2023
“Criminal actors should be aware that the announcement today is just one part of this ongoing effort. Going forward, we will continue our investigation and pursue those behind Blackcat until they are brought to justice,” the DOJ continued.
“During this investigation, law enforcement gained visibility into the Blackcat Ransomware Group’s network,” according to an unsealed search warrant.
“As a result, the FBI identified and collected 946 public/private key pairs for Tor sites that the Blackcat Ransomware Group used to host victim communication sites, leak sites, and affiliate panels like the ones described above,” it continued. “The FBI has saved these public/ private key pairs to the Flash Drive.”
But ALPHV announced the FBI “only gained access to decryption keys for the last month and a half, which is about 400 companies. However, they said 3,000 other victims will now lose their keys,” according to a report from BleepingComputer.
“Because of their actions, we are introducing new rules, or rather removing ALL the rules except one, you can not touch the CIS, you can now block hospitals, nuclear power plants, anything and anywhere,” the group reportedly said in a “machine-translated statement.”