FBI: ALPHV ransomware raked in $300 million from over 1,000 victims

Trending 2 months ago


The ALPHV/BlackCat ransomware pack has made complete $300 cardinal successful ransom payments from much than 1,000 victims worldwide as of September 2023, according to nan Federal Bureau of Investigation (FBI).

"ALPHV Blackcat affiliates person extended networks and acquisition pinch ransomware and information extortion operations," nan FBI says.

"According to nan FBI, arsenic of September 2023, ALPHV Blackcat affiliates person compromised complete 1000 entities—nearly 75 percent of which are successful nan United States and astir 250 extracurricular nan United States—, demanded complete $500 million, and received astir $300 cardinal successful ransom payments."

In nan associated advisory published coming successful collaboration pinch CISA, nan FBI besides shared mitigation measures to thief web defenders and captious infrastructure organizations trim nan effect and risks associated pinch this ransomware group's attacks.

The 2 agencies besides provided ALPHV IOCs (indicators of compromise) and TTPs (tactics, techniques, and procedures) identified by nan FBI arsenic precocious arsenic December 6.

Network defenders are powerfully encouraged to prioritize patching vulnerabilities exploited successful nan chaotic and to enforce multifactor authentication (MFA) pinch beardown passwords crossed each services, particularly for webmail, VPN, and accounts linked to captious systems.

Furthermore, they should regularly update and spot package to nan latest versions and attraction connected vulnerability assessments arsenic integral components of modular information protocols.

BlackCat/ALPHV surfaced much than 2 years ago, in November 2021, and is suspected to beryllium a rebrand of nan notorious DarkSide and BlackMatter ransomware operation.

Originally known arsenic DarkSide, this group gained worldwide notoriety pursuing its onslaught connected Colonial Pipeline, starring to extensive investigations by rule enforcement agencies.

The FBI antecedently linked this ransomware pack to over 60 breaches impacting organizations worldwide successful nan first 4 months of activity, from November 2021 done March 2022.

FBI disrupts Blackcat, develops decryption tool

On December 7, BleepingComputer first reported that ALPHV acheronian web sites, including nan gang's Tor speech and information leak websites, abruptly stopped working.

Today, nan Department of Justice confirmed our reporting, saying that nan FBI breached nan ALPHV ransomware operation's servers, successfully monitoring their activities and obtaining decryption keys.

To entree ALPHV's backend connection panel, nan FBI engaged pinch a confidential quality root (CHS) who was provided pinch login credentials arsenic an connection aft an question and reply pinch nan ransomware operators.

ALPHV BlackCat seizure bannerALPHV BlackCat seizure banner (BleepingComputer)

​The FBI silently monitored nan ALPHV's operations for months while collecting decryption keys, which allowed them to thief complete 500 victims worldwide retrieve their files for free, redeeming astir $68 cardinal successful ransom demands. However, it's unclear really nan backstage decryption keys were obtained since they wouldn't person been disposable utilizing an affiliate's backend credentials.

One apt theory, though not yet confirmed, is that nan FBI exploited vulnerabilities that allowed dumping nan database aliases gaining further entree to nan ransomware gang's server.

The FBI besides seized nan domain for nan ransomware operation's information leak site, adding a banner explaining that nan seizure was nan consequence of an world rule enforcement operation. However, hours later, ALPHV "unseized" their information leak site, claiming that nan FBI gained entree to a information halfway hosting nan gang's servers. ALPHV besides claims successful nan connection posted connected their leak tract that they've breached astatine slightest 3,400 victims.

Since some ALPHV and nan FBI presently person nan information leak site's backstage keys, they tin return power of nan domain from each other.

This business has been seen arsenic an early vacation gift of sorts by different cybercrime groups, pinch nan LockBit ransomware gang, for instance, asking ALPHV affiliates to move teams to proceed negotiations pinch victims.