First Page Design
Site Theme
The FBI spent much of Tuesday in an online tug-of-war with one of the internet’s most competitive ransomware teams after seizing infrastructure the organization has used to generate more than $300 million in illicit invoices to date.
Early Tuesday morning, the obscure online page owned by AlphV, a ransomware organization also known as BlackCat, suddenly began displaying a banner indicating that it had been seized by the FBI as part of a coordinated law enforcement action. Gone is all the content that AlphV had published in the past on the site.
Around the same time, the Justice Department said it had disrupted AlphV’s operations by releasing a software tool that would allow about 500 AlphV sufferers to repair their systems and data. In total, according to Justice Department officials, AlphV had extorted about $300 million from 1,000 patients.
Meanwhile, an open affidavit in Florida federal court revealed that the outage concerned FBI agents obtaining 946 personal keys used to host victims’ communication sites. The legal document states that the keys were received with the help of a confidential human source who had “responded to an advertisement posted on a publicly available online forum soliciting candidates for Blackcat-affiliated positions. “
“By disrupting the BlackCat ransomware group, the Department of Justice has once again targeted the hackers,” said Assistant Attorney General Lisa O. Monaco in Tuesday’s announcement. Thanks to a decryption tool provided through the FBI to a bunch of ransomware victims around the world, businesses and schools were able to reopen, and health and emergency care facilities were able to come back online. We will continue to prioritize disruptions and put those affected in the middle. of our strategy to dismantle the ecosystem that fuels cybercrime.
Within hours, the FBI’s seizure information posted on AlphV’s obscure online page disappeared. In its position, a new ad proclaimed: “This online page has not been seized. The new opinion, written through AlphV officials, downplays the FBI’s action. Questioning the effectiveness of the decryption tool for 400 victims, AlphV officials said the disruption would save the decryption of data belonging to another 3,000 victims.
“Now because of them, more than 3,000 companies will never receive their keys.”
As the hours passed, the FBI and AlphV competed for the dark web site, each replacing the other’s notifications.
One researcher described the ongoing fight as a “fight against Tor,” referring to Tor, the network of servers that allows other people to browse and post websites anonymously. Like most ransomware groups, AlphV hosts its sites through Tor. Not only does this agreement prevent law enforcement investigators from identifying the group’s members, but it also prevents them from obtaining court orders requiring the Internet server to leave the site.
The only way to deal with Tor is to have a personal encryption key compromised. Once the FBI received it, investigators were able to determine Tuesday’s seizure. Since AlphV also kept the key, the band members were also able to publish their own content. Since Tor makes it highly unlikely to replace the personal key corresponding to an address, neither party was able to block the other.
With each side essentially deadlocked, AlphV has resorted to removing some of the restrictions it previously placed on affiliates. Under the common ransomware-as-a-service model, affiliates are the ones who actually hack victims. When successful, the affiliates use the AlphV ransomware and infrastructure to encrypt data and then negotiate and facilitate a payment by bitcoin or another cryptocurrency.
Up to now, AlphV placed rules on affiliates forbidding them from targeting hospitals and critical infrastructure. Now, those rules no longer apply unless the victim is located in the Commonwealth of Independent States—a list of countries that were once part of the former Soviet Union.
“Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS, you can now block hospitals, nuclear power plants, anything, anywhere,” the AlphV notice said. The notice said that AlphV was also allowing affiliates to retain 90 percent of any ransom payments they get, and that ‘VIP’ affiliates would receive a private program on separate isolated data centers. The move is likely an attempt to stanch the possible defection by affiliates spooked by the FBI’s access to the AlphV infrastructure.
The back and forth has prompted some to say that the disruption failed, since AlphV retains control of its site and continues to possess the data it stole from victims. In a discussion on social media with one such critic, ransomware expert Allan Liska pushed back.
“The server and all of its knowledge are still owned by the FBI, and ALPHV is retrieving all of that,” wrote Liska, a risk researcher at security firm Recorded Future.
“But hey, you’re right and I’m 100 percent wrong. I inspire you and all ransomware teams to sign up now with an ALPHV partner, it’s definitely safe. Do it, chicken!
Join the Ars Orbital Transmission email to receive weekly updates in your inbox. Sign up →