As part of an international disruption effort impacting the infamous BlackCat ransomware group, the FBI has created a decryption tool that has given 500 ransomware victims worldwide the capabilities to restore their systems. Law enforcement agencies have also gained visibility into the ransomware group’s network, and seized several attacker-operated websites, including the dark web site used to leak victims' data.
FBI field offices have worked with dozens of U.S.-based victims to deploy the decryption tool, preventing them from potentially needing to pay ransom demands that total $68 million, the Justice Department said in a Tuesday announcement. The FBI is also encouraging other businesses hit by the BlackCat ransomware to come forward for assistance. These moves deal a blow to the prolific ransomware group, which has targeted more than 1,000 organizations globally and collected hundreds of millions of dollars in ransom payments since its emergence in 2021.
“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online,” according to Deputy Attorney General Lisa Monaco in a statement. “We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”
A search warrant unsealed Tuesday in the Southern District of Florida gave a behind-the-scenes look at how law enforcement gained visibility into the ransomware group’s infrastructure. Law enforcement agencies worked with a confidential contact who provided credentials to the web panels used by the ransomware service’s affiliates and developers to communicate and coordinate attacks. This visibility into the group’s infrastructure also helped the FBI collect over 900 public/private key pairs for Tor sites that the group was using to host its victim communication sites, leak sites, and affiliate panels.
“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online."
“Each Blackcat victim received a unique public Tor address through which to engage in negotiations,” according to the search warrant. “The FBI has conducted extensive and ongoing outreach to victims… The FBI has also identified public Tor addresses associated with victim communication sites and has confirmed that several of these victim communication sites were among the public/private key pairs collected.”
The FBI has previously provided decryption tools to ransomware victims as part of its efforts to disrupt campaigns. In its January disruption campaign targeting the Hive ransomware group, for instance, it infiltrated the group’s networks, captured decryption keys and offered them to victims worldwide. These decryptors help victims already impacted by attacks, but the long-term impacts of this disruption on both the group and future potential victims is yet to be seen. No arrests related to the disruption have been publicly announced so far.
Due to the global scale of BlackCat’s activities, multiple foreign law enforcement agencies were involved in the disruption, including ones from Germany, Denmark, Australia, the UK, Spain, Switzerland and Austria. This type of international collaboration has been critical for crackdown efforts on cybercriminals, and over the past year law enforcement agencies worldwide worked together to disrupt the Qakbot malware and Ragnar Locker ransomware, and to dismantle a global network of computers infected by the decades-old Snake malware.
The BlackCat ransomware-as-a-service has been considered by security professionals to be one of the more sophisticated and destructive groups over the past two years, targeting critical infrastructure sectors in the U.S. like manufacturing, healthcare and defense industrial base entities, all while constantly updating its capabilities for evading detection and analysis. According to Cisco Talos' 2023 Year in Review report, BlackCat, along with LockBit, Clop and BianLian announced for nearly 50 percent of posts made to ransomware data leak sites this year.