FBI seizes Blackcat ransomware's server and site
Photo: Joe Raedle/Getty Images
The Federal Bureau of Investigation hacked into and seized the Russia-based ALPHV, or Blackcat, ransomware's darknet website and infrastructure, according to a Department of Justice announcement Tuesday.
WHY IT MATTERS
Alongside FBI Miami, the U.S. Secret Service and numerous foreign law enforcement partners supported the Blackcat disruption campaign. As a result, the FBI can provide Blackcat’s victims around the world with a decryption key, Markenzy Lapointe, U.S. Attorney for the Southern District of Florida, said in the DOJ statement.
The DOJ is asking victims of Blackcat ransomware to contact their local FBI field office to determine what assistance may be available.
Blackcat has caused disruptions to government facilities, emergency services, defense industrial base companies, critical manufacturing, healthcare and public health facilities, and others.
Affiliates compromise user credentials and use other methods to gain initial access to victim networks to unleash the gang's malware, and then retaliate against organizations that refuse to pay ransom by publishing stolen data, the DOJ said.
John Riggi, the national advisor for cybersecurity and risk for the American Hospital Association, said in an AHA announcement Wednesday that Blackcat attacked numerous hospitals, exposing protected health information and jeopardizing patient care.
He praised the work of the FBI, DOJ and international partners and said the "aggressive enforcement action combined with a focus on assisting victims is the right strategy."
"This also serves as an example of how essential it is for victims of cyberattacks and the healthcare sector to exchange cyberthreat intelligence with the government to assist their ability to go after the bad guys and diminish their capability to conduct to future attacks," he added.
Sharing malicious cyber incidents contributed to the success of this operation, according to Meredith Burkhart, FBI chief of Cyber Policy, on LinkedIn. Every time a Blackcat victim reported their incident to a government agency, the FBI was notified, she said.
"Each time a victim reported directly to their local FBI field office or to the FBI Internet Crime Complaint Center, internal policies and processes let FBI Miami quickly take action."
Burkhart also noted in the social media post that the Cyber Incident Reporting for Critical Infrastructure Act, which will take effect in 2024 and 2025, "will drive continued success."
Meanwhile, KrebsonSecurity reported that Blackcat allegedly responded – saying that it unseized its darknet site. A note that appeared on the site temporarily said Blackcat was still very much able to operate and would now offer affiliates a 90% commission.
In a screenshot of the note, Blackcat said it has "new rules," and affiliates can block anything they want – "hospitals, nuclear power plants, anything, anywhere" – except in Russia and Commonwealth of Independent State countries, according to the story.
Allegedly, the group also claimed that the FBI only had decryptor keys for the last six weeks. Then, it thanked affiliates and said that it would "take into account our mistakes and work even harder" moving forward.
THE LARGER TREND
In January, U.S. Attorney General Merrick Garland announced the seizure of Hive ransomware websites and servers after a six-month international investigation that included a warrant for a back-end server hosted by a Los Angeles network storage provider.
The FBI also gained access to Qakbot, commonly used in phishing attacks targeting healthcare organizations, identifying more than 700,000 infected computers worldwide, the agency said in September.
Law enforcement was able to sever thousands of computers from the botnet by taking control of command-and-control servers and restoring control back to the victims.
However, as Cisco Talos said in October on its blog, the law enforcement operation may not have impacted Qakbot operators' spam delivery infrastructure because affiliated actors were continuing to distribute Ransom Knight malware – despite the infrastructure takedown.
The Cisco researchers explained that they tracked the ongoing activity by connecting the metadata in the files used in the new campaign to the machines used in previous Qakbot campaigns.
"We assess the malware will likely continue to pose a significant threat moving forward," they said.
ON THE RECORD
"These actions are not the culmination of our efforts, they are just the beginning," acting Assistant Attorney General Nicole Argentieri of the DOJ's Criminal Division said in a statement.
"Criminal actors should be aware that the announcement today is just one part of this ongoing effort. Going forward, we will continue our investigation and pursue those behind Blackcat until they are brought to justice."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.