BlackCat site “unseized” from FBI’s grip

Ransomware group BlackCat has regained control of its website after the US Department of Justice announced it had seized the site yesterday.

The DoJ revealed that it had partnered with multiple international law enforcement agencies to take down the main site of the cyber gang – also known as ALPHV.

In its place, a notice from The Federal Bureau of Investigation that read: “This website has been seized.”

However, ALPHV swiftly resumed operations, and responded with its own notice on the original site which stated:  “This website has been unseized.”

The ransomware group posted a blog written in Russian, acknowledging the FBI’s action and threatening retribution.

A translation read: “As you all know, the FBI received the keys to our blog, now we will tell you how it all happened.”

The gang said that the FBI “somehow hacked one of our hosters, maybe he even helped them.”

It then went on to threaten all national infrastructure with the exception of the Center for Internet Security: “Because of their [the FBI’s] actions, we are introducing new rules, or rather, we are removing ALL rules, except one, you cannot touch the CIS – you can now block hospitals, nuclear power plants, anything, anywhere.” It then posted five new victims on its new site.

ALPHV first experienced outages on its site on December 7 which, the DoJ reports, is when it conducted a law enforcement operation that allowed the FBI to gain access to the gang’s infrastructure.

The FBI revealed yesterday that it has developed a decryption tool that allowed  field offices across the country and law enforcement partners around the world to offer over 500 affected victims the capability to restore their systems.

With this, the FBI monitored the ransomware operation while siphoning decryption keys, and helping victims recover their files for free – saving approximately $68 million in ransom demands.

Article: What is BlackCat?

Cyber security firm Secureworks, which has been monitoring the events, described it as a “tug of Tor,” as it witnessed both the threat group ALPHV is attributed to, Gold Blazer, and the FBI competing to redirect traffic to either the law enforcement ‘seized’ or the BlackCat’s ‘unseized’ site.

Tor networks define browsers and sites that allow for anonymous traffic, hiding IP addresses and browsing activity, to allow for anonymous browsing.

“The main takeaway is that the FBI is making a decryption tool available to help victims and the whole operation has imposed a significant cost to Gold Blazer both financially and reputationally,” commented Tim Mitchell, senior threat researcher at Secureworks Counter Threat Unit.

On the future, Tim West, head of cyber threat intelligence at security consultants, WithSecure, added : “BlackCat will likely hit corporations as it did in 2023, and from our research, we know that new ransomware groups form when the more established groups feel the squeeze from law enforcement.”

“Therefore, it’s crucial that international law enforcement continues such efforts so that ransomware groups such as ALPHV/BlackCat and their infrastructure can be truly dismantled.”

To read more about cyber security click here