DOJ Disrupts BlackCat Ransomware Variant, Offers Decryption Key to Victims

December 19, 2023 - The US Department of Justice (DOJ) has successfully disrupted the BlackCat ransomware group and offered a decryption tool to more than 500 victims around the world. Also known as ALPHV or Noberus, BlackCat became a notorious ransomware-as-a-service variant over the past 18 months, launching cyberattacks against more than 1,000 victims, including healthcare organizations, and demanding hundreds of millions of dollars in ransoms.

In November 2023, BlackCat claimed responsibility for a large-scale cyberattack against Henry Schein, a major distributor of healthcare products. Earlier in the year, the group claimed an attack against Lehigh Valley Health Network that involved a computer system containing patient images for radiation oncology treatment and other sensitive information.

Considering the global nature of BlackCat’s activities and its willingness to target critical infrastructure, the group quickly caught the attention of the FBI and international partners. A recently unsealed search warrant from the Southern District of Florida detailed the FBI’s visibility into the group’s activities.

The warrant stated that BlackCat’s actions impacted US critical infrastructure significantly, including government facilities, emergency services, critical manufacturing, defense industrial base companies, and healthcare facilities. Globally, the group caused losses of upwards of hundreds of millions of dollars, as well as the destruction and theft of proprietary data and incident response costs.

BlackCat actors were able to succeed in their attacks due to their multiple extortion model and affiliate program that expanded their reach. What’s more, the group maintained a leak site that it would use to publicize attacks if the victim refused to pay.

The FBI developed a decryption tool that successfully enabled 500 victims to restore their systems. The DOJ encouraged more victims to come forward and report BlackCat incidents to the bureau for assistance.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” said Deputy Attorney General Lisa O. Monaco.

“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”

This is not the first time that the DOJ has disrupted a major ransomware variant – in January 2023, the DOJ disrupted Hive ransomware following a months-long effort to pin down the group that targeted more than 1,500 victims worldwide.

Hive, like BlackCat, was a prolific group that evolved over time and took coordination from multiple law enforcement agencies to disrupt.

To Charles Carmakal, Mandiant Consulting CTO, Google Cloud, the DOJ’s disruption of BlackCat was a “huge win for law enforcement and the community.”

“Some of the ALPHV affiliates are still active, however, including UNC3944 (Scattered Spider). We expect some affiliates will continue their intrusions as normal, but they will likely try to establish relationships with other RaaS programs for encryption, extortion, and victim-shaming support,” Carmakal added.

“This action by law enforcement sends a very strong message to ALPHV affiliates and other threat actors. We anticipate continued law enforcement actions and wins throughout 2024.”