The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operation’s servers to monitor their activities and obtain decryption keys.
On December 7th, BleepingComputer first reported that the ALPHV, aka BlackCat, websites suddenly stopped working, including the ransomware gang’s Tor negotiation and data leak sites.
While the ALPHV admin claimed it was a hosting issue, BleepingComputer learned it was related to a law enforcement operation.
Today, the Department of Justice confirmed our reporting, stating that the FBI conducted a law enforcement operation that allowed them to gain access to ALPHV’s infrastructure.
With this access, the FBI silently monitored the ransomware operation for months while siphoning decryption keys. These decryption keys allowed the FBI to help 500 victims recover their files for free, saving approximately $68 million in ransom demands.
In addition, the FBI has seized the domain for ALPHV’s data leak site, which now displays a banner stating that it was seized in an international law enforcement operation.
The FBI says they seized the website after obtaining the public and private key pairs for the Tor hidden services that the website operated under, allowing them to take control over the URLs.
“During this investigation, law enforcement gained visibility into the Blackcat Ransomware Group’s network,” reads an unsealed search warrant.
“As a result, the FBI identified and collected 946 public/private key pairs for Tor sites that the Blackcat Ransomware Group used to host victim communication sites, leak sites, and affiliate panels like the ones described above.”
“The FBI has saved these public/ private key pairs to the Flash Drive.”
The seizure message states the law enforcement operation was conducted by police and investigative agencies from the US, Europol, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, and Austria.
“The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against ALPHV BlackCat ransomware,” reads the seizure message.
“This action has been taken in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice with substantial assistance from Europol and Zentrale Kriminalinspektion Guttingen.”
Ever since the disruption to ALPHV’s servers, affiliates have been losing trust in the operation, with BleepingComputer learning that they have been contacting victims directly via email rather than using the gang’s Tor negotiation site.
This was likely due to the threat actors believing that the ALPHV infrastructure had been compromised by law enforcement, putting them at risk if they used it.
The LockBit ransomware operation has also seen this disruption as an early holiday gift, telling affiliates they can move to his operation to continue negotiating with victims.
A third breach by law enforcement
This ransomware operation has operated under multiple names over the years and has been breached by law enforcement each time.
They initially launched as DarkSide in August 2020 and then shut down in May 2021 after facing intense pressure from law enforcement operations caused by the gang’s widely publicized attack on Colonial Pipeline.
The ransomware operation later returned as BlackMatter on July 31st but, once again, shut down in November 2021 after Emsisoft exploited a weakness to create a decryptor and servers were seized.
The gang returned again in November 2021, this time under the name BlackCat/ALPHV. Since then, the ransomware gang has constantly evolved its extortion tactics and taking the unusual approach of partnering with English-speaking affiliates.
Due to this law enforcement operation, we will likely see the ransomware gang rebrand again under a different name.