US Justice Department cracks down on ALPHV/Blackcat ransomware group targeting critical infrastructure

The U.S. Justice Department made a significant announcement on Tuesday regarding its disruption campaign against the Blackcat ransomware group, also known as ALPHV or Noberus. The group has demonstrated a high level of proficiency in targeting and compromising over 1,000 computer networks, resulting in significant global repercussions. Particularly concerning is their deliberate focus on infiltrating networks that support critical infrastructure within the U.S.

Over the past 18 months, ALPHV/Blackcat has emerged as the second most prolific ransomware-as-a-service (RaaS) variant in the world based on the hundreds of millions of dollars in ransom paid by victims around the world. Due to the global scale of these crimes, multiple foreign law enforcement agencies are conducting parallel investigations. 

The Justice Department also recognizes the critical cooperation of Germany’s Bundeskriminalamt and Zentrale Kriminalinspektion Göttingen, Denmark’s Special Crime Unit, and Europol. Significant assistance was provided by the U.S. Secret Service and the U.S. Attorney’s Office for the Eastern District of Virginia. The Justice Department’s Office of International Affairs and the Cyber Operations International Liaison also assisted. 

Additionally, various foreign law enforcement authorities provided substantial assistance and support, including the Australian Federal Police, the U.K.’s National Crime Agency and Eastern Region Special Operations Unit, Spain’s Policia Nacional, Switzerland’s Kantonspolizei Thurgau, and Austria’s Directorate State Protection and Intelligence Service.

The U.S. Federal Bureau of Investigation (FBI) developed a decryption tool that allowed its field offices across the country and law enforcement partners around the world to offer over 500 affected victims the capability to restore their systems. To date, the FBI has worked with dozens of victims in the U.S. and internationally to implement this solution, saving multiple victims from ransom demands totaling approximately $68 million.  

The FBI Miami Field Office is leading the investigation. Trial Attorneys Christen Gallagher and Jorge Gonzalez of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorneys Kiran Bhat and Brooke Watson for the Southern District of Florida are handling the case.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” Lisa O. Monaco, deputy attorney general, said in a media statement. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”

“The FBI continues to be unrelenting in bringing cybercriminals to justice and determined in its efforts to defeat and disrupt ransomware campaigns targeting critical infrastructure, the private sector, and beyond,” according to Paul Abbate, FBI deputy director. “Helping victims of crime is the FBI’s highest priority and is reflected here in the provision of tools to assist those victimized in decrypting compromised networks and systems. The FBI will continue to aggressively pursue these criminal actors wherever they attempt to hide and ensure they are brought to justice and held accountable under the law.”

“At the Justice Department, we prioritize victim safety and security,” said Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department’s Criminal Division. “In this case, agents and prosecutors worked tirelessly to restore victim networks, but these actions are not the culmination of our efforts, they are just the beginning. Criminal actors should be aware that the announcement today is just one part of this ongoing effort. Going forward, we will continue our investigation and pursue those behind Blackcat until they are brought to justice.”

“Today’s announcement highlights the Justice Department’s ability to take on even the most sophisticated and prolific cybercriminals,” said Markenzy Lapointe, U.S. Attorney for the Southern District of Florida. “As a result of our office’s tireless efforts, alongside FBI Miami, U.S. Secret Service, and our foreign law enforcement partners, we have provided Blackcat’s victims, in the Southern District of Florida and around the world, the opportunity to get back on their feet and to fortify their digital defenses. We will continue to focus on holding the people behind the Blackcat ransomware group accountable for their crimes.”

As detailed in a search warrant unsealed Tuesday in the Southern District of Florida, the FBI has also gained visibility into the Blackcat ransomware group’s computer network as part of the investigation and has seized several websites that the group operated. These hackers have compromised computer networks in the United States and worldwide. The disruptions caused by the ransomware variant have affected U.S. critical infrastructure – including government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities – as well as other corporations, government entities, and schools. 

The Justice Department added that the loss amount globally is in the hundreds of millions and includes ransom payments, destruction and theft of proprietary data, and costs associated with incident response.

Blackcat uses a RaaS model in which developers are responsible for creating and updating ransomware and for maintaining the illicit internet infrastructure. Affiliates are responsible for identifying and attacking high-value victim institutions with ransomware. After a victim pays, developers and affiliates share the ransom.

Blackcat actors employ a multiple extortion model of attack. Before encrypting the victim system, the affiliate will exfiltrate or steal sensitive data. The affiliate then seeks a ransom in exchange for decrypting the victim’s system and not publishing the stolen data. Blackcat actors attempt to target the most sensitive data in a victim’s system to increase the pressure to pay. Blackcat actors rely on a leak site available on the dark web to publicize their attacks. When a victim refuses to pay a ransom, these actors commonly retaliate by publishing stolen data to a leaked website where it becomes publicly available.

IBM Security Intelligence data in June found that the BlackCat (ALPHV) ransomware has continued to wreak havoc across organizations globally this year. The recent attacks of the hacker group’s ransomware affiliates have targeted organizations in the healthcare, government, education, manufacturing, and hospitality sectors. Several of these incidents have reportedly resulted in the group’s publishing of sensitive data to their leak site, including financial and medical information stolen from the victim organizations.

Last month, law enforcement and judicial authorities from seven countries, in collaboration with Europol and Eurojust, united to dismantle and apprehend key figures responsible for major ransomware operations that have caused widespread chaos worldwide. This operation is particularly crucial as Ukraine faces the challenges posed by Russia’s military aggression on its territory. The hackers have gained notoriety for their deliberate targeting of large corporations, effectively paralyzing their operations. They have employed various ransomware strains, including LockerGoga, MegaCortex, HIVE, and Dharma, to execute their disruptive attacks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.