Pierluigi Paganini December 19, 2023

The Federal Bureau of Investigation (FBI) announced the seizure of the Tor leak site of the AlphV/Blackcat ransomware group.

The FBI seized the Tor leak site of the AlphV/Blackcat ransomware group and replaced the home page with the announcement of the seizure.

BlackCat/ALPHV ransomware gang has been active since November 2021, the list of its victims is long and includes industrial explosives manufacturer SOLAR INDUSTRIES INDIA, the US defense contractor NJVC, gas pipeline Creos Luxembourg S.A., the fashion giant Moncler, the Swissport, NCR, and Western Digital.

The ransom demands of the group range from a few tens of thousands of dollars up to tens of millions of dollars.

On December 7th, BleepingComputer and other prominent experts reported that the ALPHV gang’s websites went offline.

On December 10th, the primary domain of the group went offline and administrators claimed the problem was caused by a hardware failure. At the same time, rumors circulated that the site was taken offline as a result of law enforcement’s operation. The group always denied this circumstance, but today the domain displayed the following message to the visitors.

The seizure is the result of a joint operation conducted by international law enforcement agencies from the US, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, Austria and Europol.

“This action has been taken in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice with substantial assistance from Europol and Zentrale Kriminalinspektion Guttingen.” reads the message published by law enforcement on the seized websites.

“The Justice Department announced today a disruption campaign against the Blackcat ransomware group — also known as ALPHV or Noberus — that has targeted the computer networks of more than 1,000 victims and caused harm around the world since its inception, including networks that support U.S. critical infrastructure.” reads the press release published by DoJ.

The ALPHV/Blackcat group was the second most prolific ransomware-as-a-service operation, it amassed hundreds of millions of dollars in ransom payments.  

The FBI developed a decryption tool that could allow over 500 victims to recover their systems for free.

The Department of Justice estimates potential savings of around $68 million in ransom payments through the utilization of this tool. As outlined in a recently unsealed search warrant in the Southern District of Florida, the FBI has taken control of various websites operated by the group.

The FBI gained visibility into the network of the ransomware gang and collected hundreds of public/private key pairs for Tor sites hosting the victim sites.

“During this investigation, law enforcement gained visibility into the Blackcat Ransomware Group’s network,” reads an unsealed search warrant. “As a result, the FBI identified and collected 946 public/private key pairs for Tor sites that the Blackcat Ransomware Group used to host victim communication sites, leak sites, and affiliate panels like the ones described above. The FBI has saved these public/private key pairs to the Flash Drive.”

However, a sudden and unexpected event surprised the expert community.

Someone, likely the ransomware gang, gained access to the seized data leak site and apparently “unseized” it and claimed that the FBI gained access to a data center they were using to host servers.

“As you all know, the FBI received the keys to our blog, now we will tell you how it all happened.

Firstly, how it all happened, having studied their documents, we understand that they gained access to one of the DCs, since all the other DCs were untouched, it turns out that they somehow hacked one of our hosters, maybe he even helped them.

The maximum that they have is the keys for the last month and a half, that’s about 400 companies, but now because of them, more than 3,000 companies will never receive their keys.

Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS, you can now block hospitals, nuclear power plants, anything, anywhere.

The rate is now 90% for all advertisers.

We do not give any discounts to companies, payment is strictly the amount that we indicated.

VIP advertisers receive their own private affiliate program, which we raise only for them, on a separate DC, completely isolated from each other.

Thank you for your experience, we will take into account our mistakes and work even harder, we are waiting for your whining in chats and requests for discounts that no longer exist.” reads the message published on the unsized data leak site.

The group asserts that the police acquired the keys for the last month and a half, indicating access to keys for 400 companies. However, the group said that over 3,000 companies will never regain access to their keys.

In a departure from previous operations, the group declares that it will permit affiliates to target any critical infrastructure

If you want to know more about law enforcement action (LEA) against ransomware operations take a look at the post published by Redsense co-founder Yelisey Bohuslavskiy.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AlphV/Blackcat ransomware group)