Article Details

How the FBI seized BlackCat (ALPHV) ransomware’s servers. An unsealed FBI search warrant revealed how law enforcement hijacked the ALPHV/BlackCat ransomware operations websites and seized the associated URLs. Today, the US Department of Justice confirmed that they seized websites for the ALPHV ransomware operation and created a decryptor to help approximately 500 companies recover their data for free. However, the details surrounding the disruption are hazy, with only an unsealed search warrant providing extra information. What we know According to a search warrant unsealed today, the FBI engaged with a confidential human source (CHS) to sign up and become an affiliate for the ALPHV/BlackCat ransomware operation. After being interviewed by the ransomware operators, the CHS was provided login credentials to the backend affiliate panel. This panel is not public and is only meant to be used by the ransomware gang's operators and affiliates, allowing them to manage extortion campaigns and negotiate ransoms with a company. Under a separate federal search warrant, the FBI accessed the ALPHV panel to determine how it operated. "If the affiliate is actively engaging with a victim infected with Blackcat ransomware, they can select the entity using the Dashboard or select the "Campaigns" button in the menu bar," reads the search warrant. "From the Campaigns screen, affiliates can see the victim entity, full ransom price demanded, discount ransom price, expiration date, cryptocurrency addresses, cryptocurrency transactions, type of computer system compromised, ransom demand note, chats with the victim, and more." "These features allow affiliates to engage the victim throughout the entire negotiation process." Using this access, the FBI obtained the private decryption keys used in attacks and created a decryptor that has helped over 400 victims recover their files for free. However, it is still unclear how they obtained those private decryption keys, as they would have been unavailable to an affiliate. A theory is that the FBI used its internal access to find vulnerabilities that could be exploited to dump the database or gain further access to the server, but this is unconfirmed. The FBI also states that they obtained 946 private and public key pairs associated with the ransomware operation's Tor negotiation sites, data leak sites, and management panel and saved them to a USB flash drive that is now stored in Florida. "During this investigation, law enforcement gained visibility into the Blackcat Ransomware Group's network," explains the search warrant. "As a result, the FBI identified and collected 946 public/private key pairs for Tor sites that the Blackcat Ransomware Group used to host victim communication sites, leak sites, and affiliate panels like the ones described above." "The FBI has saved these public/private key pairs to the Flash Drive." When creating a website on the Tor anonymization network, they generate a unique private and public key pair associated with the .onion URL, which is then registered with the Tor network. For example, the now-seized onion URL http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion/ was previously associated with the BlackCat data site. However, anyone possessing these private and public key pairs effectively controls the URL, allowing them to hijack them so they point to their own servers. While the FBI has not shared how they gained access to these Tor key pairs, it is likely through the same access they used to retrieve the decryption keys for the victim's encrypted files. The FBI says they confirmed that these Tor keys are associated with the ransomware operation's data leak site, affiliate panel, and unique Tor negotiation sites given to victims in ransom notes. While BleepingComputer has only confirmed that the data leak sites and some negotiation sites were hijacked by law enforcement, possessing these Tor keys would allow the FBI to seize the affiliate panel as well. This is the third known law enforcement operation where the FBI successfully breached a ransomware operation's infrastructure to quietly monitor activities and siphon decryption keys. The first was REvil, where the FBI gained access to the master decryption key for the Kaseya supply chain attack, and the second was a breach of the Hive ransomware operation, where the FBI obtained over 1,300 decryption keys. The FBI and international law enforcement have devised a tactic that works to breach and disrupt ransomware gangs' infrastructure, and we will likely see more actions like this in the future. As for BlackCat/ALPHV, they'll likely shut down over the next few months while they rebrand under a new name as they have done in the past.