On Tuesday, the US government announced the end of the notorious BlackCat ransomware-as-a-service operation and released a decryption tool to help organizations recover stolen data.
The Justice Department said the BlackCat breach, also called ALPHV or Noberus, included the removal of websites and a new FBI decryption tool that helps hundreds of organizations retrieve and recover data.
The FBI’s decryptor has been used by dozens of victims in the United States and abroad, saving ransom demands totaling approximately $68 million, the agency said.
“Thanks to the decryption tools that the FBI has provided to hundreds of ransomware victims around the world, businesses and schools have been able to reopen, and medical and emergency services have been able to reopen. We will continue to prioritize disruption, putting victims at the center of our strategy to disrupt the ecosystem, which fuels cybercrime,” the agency said.
According to a search warrant unsealed today in the Southern District of Florida, law enforcement officials infiltrated the group over several months and used confidential informants to peer into the inner workings of the operation and seized several websites the group operated.
Over the past 18 months, the agency said BlackCat/ALPHV has become the second most common ransomware-as-a-service variant in the world, based on hundreds of millions of dollars in ransoms paid by victims worldwide.
The Justice Department said the BlackCat gang hacked computer networks in the United States and around the world, including critical U.S. infrastructure.
Victims include government agencies, emergency services, defense industrial bases, critical manufacturing facilities, healthcare and healthcare facilities, as well as other corporations, government agencies, and schools.
The government has documented how BlackCat actors used affiliates to steal or steal sensitive data, then demand a ransom in exchange for decrypting the victim’s system and not releasing the stolen data.
“BlackCat actors attempt to target the most sensitive data on a victim’s system to increase payment pressure,” the Justice Department said, noting that the gangs are using darkweb leak sites to publicize their attacks.