Law enforcement infiltrated and shut down the infrastructure of AlphV, the ransomware group behind a spree of high-profile attacks, the FBI and international law enforcement agencies said Tuesday.
AlphV, also known as Blackcat, targeted more than 1,000 victims during the past 18 months, making it the second-most prolific ransomware as a service group in the world, according to the Justice Department.
The DOJ connected the AlphV ransomware variant to attacks against U.S. critical infrastructure, including government facilities, emergency services, defense industrial base companies, manufacturing, healthcare organizations and schools.
The group directly claimed responsibility for recent attacks against Norton Healthcare, Fidelity National Financial and Tipalti. AlphV’s affiliate Scattered Spider, which used the AlphV ransomware variant, is linked to major attacks against MGM Resorts, Caesars Entertainment and Clorox.
Global losses attributed to AlphV, which uses multiple-extortion attack models, are in the hundreds of millions of dollars, according to the DOJ.
The FBI said it developed a decryption tool that has allowed dozens of victims to restore their systems and avoid ransom demands totaling about $68 million. The decryptor is available to the more than 500 affected victim organizations globally, the agency said.
“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online,” Deputy Attorney General Lisa Monaco said in a statement.
The law enforcement action against AlphV involved the seizure of multiple websites operated by the group. Threat researchers posted screenshots of the group’s seized dark web leak site on social media sites Monday, plastered with logos of more than a dozen international law enforcement agencies.
The FBI gained visibility into AlphV’s computer network due in part to assistance provided by an informant. “Law enforcement engaged a confidential human source who routinely provides reliable information related to ongoing cybercrime investigations,” the FBI said in a search warrant unsealed Tuesday in the U.S. District Court for the Southern District of Florida.
“The FBI continues to be unrelenting in bringing cybercriminals to justice and determined in its efforts to defeat and disrupt ransomware campaigns targeting critical infrastructure, the private sector, and beyond,” FBI Deputy Director Paul Abbate said in a statement.
A collection of international law enforcement agencies are conducting ongoing investigations into the group and its activities. No arrests were announced as part of the AlphV infrastructure takedown.
"This is a huge win for law enforcement and the community. AlphV was one of the most active ransomware as a service programs and they worked with both Russian affiliates and English-speaking western affiliates,” said Charles Carmakal, CTO at Mandiant Consulting, Google Cloud.
“Some of the AlphV affiliates are still active however, including UNC3944 (Scattered Spider). We expect some affiliates will continue their intrusions as normal, but they will likely try to establish relationships with other RaaS programs for encryption, extortion, and victim-shaming support.”