FBI seizes Blackcat ransomware's server and site

The Federal Bureau of Investigation has hacked and seized the darknet website and infrastructure of the Russia-based ALPHV, or Blackcat, ransomware, according to a Justice Department announcement Tuesday.

WHY IT MATTERS

In addition to FBI Miami, the U.S. Secret Service and numerous foreign law enforcement partners supported the Blackcat disruption campaign. As a result, the FBI can provide Blackcat victims around the world with a decryption key, Markenzy Lapointe, U.S. Attorney for the Southern District of Florida, said in the DOJ statement.

The DOJ is asking victims of the Blackcat ransomware to contact their local FBI field office to determine what assistance may be available.

Blackcat has caused disruptions to government facilities, emergency responders, defense industrial companies, critical manufacturing, healthcare and public health facilities, and others.

Affiliates compromise user data and use other methods to gain initial access to victim networks to unleash the gang's malware, then retaliate against organizations that refuse to pay ransoms by publishing stolen data, the DOJ said.

John Riggi, the national cybersecurity and risk advisor for the American Hospital Association, said in an AHA announcement Wednesday that Blackcat has attacked numerous hospitals, exposing protected health information and compromising patient care.

He praised the work of the FBI, DOJ and international partners, saying the “aggressive enforcement action, combined with a focus on helping victims, is the right strategy.”

“This also serves as an example of how essential it is for victims of cyber attacks and the healthcare industry to exchange cyber threat information with government to support their ability to go after the bad guys and their ability to carry out future attacks reduce,” he added. .

Sharing malicious cyber incidents contributed to the success of this operation, FBI Cyber ​​Policy Chief Meredith Burkhart said on LinkedIn. Each time a Blackcat victim reported his incident to a government agency, the FBI was notified, she said.

“Each time a victim reported directly to the local FBI field office or to the FBI Internet Crime Complaint Center, internal policies and processes ensured that FBI Miami could take swift action.”

Burkhart also noted this in the social media message that the Cyber ​​Incident Reporting for Critical Infrastructure Act, set to take effect in 2024 and 2025, will “drive continued success.”

In the meantime, KrebsonSafety reported that BlackCat had reportedly responded – saying you had decommissioned its darknet site. A comment that temporarily appeared on the site said that Blackcat was still operating very well and would now offer affiliates a 90% commission.

In a screenshot of the note, Blackcat said it has “new rules” and that affiliates can block anything they want – “hospitals, nuclear power plants, anything, anywhere” – except in Russia and the countries of the Commonwealth of Independent States , according to the story.

The group also reportedly claimed that the FBI only had decryptor keys for the past six weeks. He then thanked the member companies and said it would “take our mistakes into account and work even harder” in the future.

THE BIG TREND

In January, US Attorney General Merrick Garland announced the seizure of Hive ransomware websites and servers following a six-month international investigation that included a warrant for a back-end server hosted by a Los Angeles network storage provider.

The FBI also gained access to Qakbot, which is commonly used in phishing attacks targeting healthcare organizations, identifying more than 700,000 infected computers worldwide, the agency said in September.

Law enforcement officials were able to separate thousands of computers from the botnet by taking control of command-and-control servers and returning control to victims.

However, as Cisco Talos said in October bloggingthe law enforcement operation may not have impacted Qakbot operators' spam delivery infrastructure, as affiliated actors continued to spread Ransom Knight malware – despite the infrastructure removal.

The Cisco researchers explained that they tracked the ongoing activity by linking the metadata in the files used in the new campaign to the machines used in previous Qakbot campaigns.

“We believe that the malware is likely to continue to pose a significant threat in the future,” they said.

ON THE RECORD

“These actions are not the culmination of our efforts, they are just the beginning,” Acting Assistant Attorney General Nicole Argentieri of the DOJ's Criminal Division said in a statement.

“Criminal actors should be aware that today's announcement is only part of this ongoing effort. Going forward, we will continue our investigation and pursue those behind Blackcat until they are brought to justice.”

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Related Post