Article Details

FBI disrupts Blackcat ransomware operation, creates decryption tool. The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operation's servers to monitor their activities and obtain decryption keys. On December 7th, BleepingComputer first reported that the ALPHV, aka BlackCat, websites suddenly stopped working, including the ransomware gang's Tor negotiation and data leak sites. While the ALPHV admin claimed it was a hosting issue, BleepingComputer learned it was related to a law enforcement operation. Today, the Department of Justice confirmed our reporting, stating that the FBI conducted a law enforcement operation that allowed them to gain access to ALPHV's infrastructure. With this access, the FBI silently monitored the ransomware operation for months, siphoning decryption keys and sharing them with over 500 victims so that they did not have to pay a ransom for a decryptor. The FBI says they have created a decryption tool to allow other victims to recover their files for free. Impacted companies should contact their local FBI field office for information on how to gain access to the decryptor. In addition, the FBI has seized the website URL for the ransomware operation's data leak site, which now displays a seizure message stating that it was seized in an international law enforcement operation. Ever since the disruption to ALPHV's servers, affiliates have been losing trust in the operation, with BleepingComputer learning that they have been contacting victims directly via email rather than using the gang's Tor negotiation site. This was likely due to the threat actors believing that the ALPHV infrastructure had been compromised by law enforcement, putting them at risk if they used it. The LockBit ransomware operation has also seen this disruption as an early holiday gift, telling affiliates they can move to his operation to continue negotiating with victims. A third breach by law enforcement This ransomware operation has operated under multiple names over the years and has been breached by law enforcement each time. They initially launched as DarkSide in August 2020 and then shut down in May 2021 after facing intense pressure from law enforcement operations caused by the gang's widely publicized attack on Colonial Pipeline. The ransomware operation later returned as BlackMatter on July 31st but, once again, shut down in November 2021 after Emsisoft exploited a weakness to create a decryptor and servers were seized. The gang returned again in November 2021, this time under the name BlackCat/ALPHV. Since then, the ransomware gang has constantly evolved its extortion tactics and taking the unusual approach of partnering with English-speaking affiliates. Due to this law enforcement operation, we will likely see the ransomware gang rebrand again under a different name.