US Seizes BlackCat Ransomware Site, Offering Decryption Tool

The US Justice Department seized websites belonging to a notorious Russian-speaking ransomware group, upending hackers that have extorted millions of dollars from victims around the world.

The website for the extortion group BlackCat, also known as ALPHV or Noberus, on Tuesday broadcast a message stating that US officials had taken control of the page. As part of the operation, the FBI developed a decryption tool that enabled US and international law enforcement agencies to help more than 500 victims restore their computer systems, according to the Justice Department.

The FBI also obtained a search warrant that’s helped the bureau gain visibility into the gang’s operations, the Justice Department said. US officials didn’t report any arrests as part of the operation.

BlackCat previously claimed responsibility for a string of high-profile hacks targeting companies and organizations in the US and Europe.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” Deputy Attorney General Lisa Monaco said in a statement. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health-care and emergency services were able to come back online.”

Earlier this year, the group took credit for disruptive cyberattacks that targeted Las Vegas casinos, including MGM Resorts International and Caesars Entertainment Inc. Another hacking group, Scattered Spider, is also suspected of being part of those attacks.

The group was also behind a breach that affected one of the UK’s largest hospital groups, the Barts Health NHS Trust.

The gang rose to notoriety in 2022 after it carried out a series of disruptive attacks on the energy sector. It targeted a Luxembourg-based gas and energy provider, Creos Luxembourg, and its parent company Encevo SA. The gang also infected computers at Mabanaft GmbH & Co. KG and Oiltanking GmbH Group, disrupting payments at hundreds of filling stations and forcing the firms to declare force majeure on supplies.

“This is a huge win for law enforcement and the community,” said Charles Carmakal, consulting chief technology officer at the consulting arm of Mandiant.

Some of the BlackCat gang’s associates are likely to continue hacking victims, though the BlackCat takedown sends a “strong message” about police activity, he said.

BlackCat’s members communicated in Russian and were known for their “sophistication and innovation,” according to researchers at Unit 42, part of Palo Alto Networks Inc. The gang, active since November 2021, recruited “affiliates” on cybercrime forums who rented out the ransomware to hack companies and organizations, according to the Unit 42 researchers.

The group would break into its victims’ computers and install ransomware, which would encrypt the files and render the computers inoperable. The hackers would then demand payment in cryptocurrency to unlock the computers, while also threatening to publish stolen internal documents if not paid.

Some of those behind BlackCat were linked by cybersecurity researchers to another notorious ransomware gang, known as DarkSide, which was responsible for a hack in 2021 on the Colonial Pipeline Co that led to the shut down of the largest gasoline pipeline in the US for several days.