Cyber Threat Summary:
Yesterday, the U.S Justice Department announced the disruption of the BlackCat ransomware group, which to date has managed to target the computer networks of more than 1,000 victims, including those that support U.S. critical infrastructure (government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities). The taken down involved law enforcement enforcement efforts from the U.S., Germany, Denmark, Australia, the U.K., Spain, Switzerland, and Austria. According to the DOJ, the FBI was able to gain access to BlackCat’s computer network and seized several sites that the group operated. Furthermore, the agency has also come out with a new decryption tool designed to aid over 500 victims across the world in regaining access to their files that had been locked by BlackCat’s ransomware strain. In total, this tool has saved multiple victims from ransom demands adding up to 68 million dollars.

Security Officer Comments:
Given BlackCat’s notoriety and prominence, the latest takedown is a big win for law enforcement and shows a continued effort by authorities to take down cybercriminal operations. With the takedown of BlackCat’s infrastructure, it is unclear whether the group will rebrand as a new operation or if its members/affiliates will join other groups. LockBit actors are already seizing this opportunity to recruit BlackCat affiliates, stating that they will help affiliates continue ongoing ransom negotiations by posting victim names to the LockBit data leak site. Although the FBI released a free decryption key to help victims regain access to files, the fact that BlackCat actors conducted double extortion schemes means that there is still the risk of these actors threatening to publish the stolen data online to obtain ransom payments.

Link(s):
https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant