First Page Design
Site Theme
The FBI spent much of Tuesday in an online tug-of-war with one of the internet’s most competitive ransomware teams after seizing infrastructure the organization has used to generate more than $300 million in illicit invoices to date.
Early Tuesday morning, the obscure online page belonging to AlphV, a ransomware organization also known as BlackCat, suddenly began displaying a sign saying it had been seized by the FBI as part of a coordinated action by law enforcement. Gone is all the content that AlphV had published in the past on the site.
Around the same time, the Justice Department said it had disrupted AlphV’s operations by releasing a software tool that would allow roughly 500 AlphV victims to restore their systems and data. In all, Justice Department officials said, AlphV had extorted roughly $300 million from 1,000 victims.
Meanwhile, an open affidavit in Florida federal court revealed that the outage concerned FBI agents obtaining 946 personal keys used to host victims’ communication sites. The legal document states that the keys were received with the help of a confidential human source who had “responded to an advertisement posted on a publicly available online forum soliciting candidates for Blackcat-affiliated positions. “
“By disrupting the BlackCat ransomware group, the Department of Justice has once again targeted the hackers,” said Assistant Attorney General Lisa O. Monaco in Tuesday’s announcement. Thanks to a decryption tool provided through the FBI to a bunch of ransomware victims around the world, businesses and schools were able to reopen, and health and emergency care facilities were able to come back online. We will continue to prioritize disruptions and put those affected in the middle. of our strategy to dismantle the ecosystem that fuels cybercrime.
Within hours, the FBI’s seizure information posted on AlphV’s obscure online page disappeared. In its position, a new ad proclaimed: “This online page has not been seized. The new opinion, written through AlphV officials, downplays the FBI’s action. Questioning the effectiveness of the decryption tool for 400 victims, AlphV officials said the disruption would save the decryption of data belonging to another 3,000 victims.
“Now because of them, more than 3,000 companies will never receive their keys.”
As the hours passed, the FBI and AlphV competed for the dark web site, each replacing the other’s notifications.
One researcher described the ongoing struggle as a “tug of Tor,” a reference to Tor, the network of servers that allows people to browse and publish websites anonymously. Like most ransomware groups, AlphV hosts its sites over Tor. Not only does this arrangement prevent law enforcement investigators from identifying group members, it also hampers investigators from obtaining court orders compelling the web host to turn over control of the site.
The only way to deal with Tor is to have a personal encryption key compromised. Once the FBI received it, investigators were able to determine Tuesday’s seizure. Since AlphV also kept the key, the band members were also able to publish their own content. Since Tor makes it highly unlikely to replace the personal key corresponding to an address, neither party was able to block the other.
With the two sides at a stalemate, AlphV made the decision to remove some of the restrictions it had placed on its affiliates in the past. In the usual ransomware-as-a-service model, it is the affiliates who hack the victims. Successfully, affiliates use ransomware and AlphV infrastructure to encrypt data and then negotiate and facilitate a payment via bitcoin or another cryptocurrency.
So far, AlphV has imposed regulations on its affiliates that prohibit them from accessing hospitals and critical infrastructure. Now, those regulations no longer apply unless the victim is in the Commonwealth of Independent States, a list of countries that were once part of the former Soviet Union.
“Thanks to their actions, we are introducing new regulations, or rather, we are removing ALL regulations, except one, you can’t touch the CIS, now you can block hospitals, nuclear plants, anything, anywhere,” AlphV notes. Says. The notice stated that AlphV also allowed affiliates to keep 90% of the ransom bills they received, and that “VIP” affiliates would receive a personal program in separate remote data centers. defection of frightened affiliates through the FBI’s access to AlphV’s infrastructure.
The back and forth has prompted some to say that the disruption failed, since AlphV retains control of its site and continues to possess the data it stole from victims. In a discussion on social media with one such critic, ransomware expert Allan Liska pushed back.
“The server and all of its data is still in possession of FBI—and ALPHV ain’t getting none of that back,” Liska, a threat researcher at security firm Recorded Future, wrote.
“But hey, you’re right and I’m 100 percent wrong. I inspire you and all ransomware teams to sign up now with an ALPHV partner, it’s definitely safe. Do it, chicken!
Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up →