Justice Department Disrupts Prolific AlphV/Blackcat Ransomware Variant

On December 19, 2023, the FBI announced its investigation into Blackcat group, also known as AlphV or Noberus, and that it gained visibility into AlphV’s computer network due in part to assistance provided by an informant. “Law enforcement engaged a confidential human source who routinely provides reliable information related to ongoing cybercrime investigations,” the FBI said in an unsealed search warrant.

Ongoing Investigations

Although no arrests were announced as part of the AlphV takedown, a collection of international law enforcement agencies are conducting ongoing investigations into the group and its activities.

The FBI also announced its release of a decryptor for the prolific threat group. The decryption tool has allowed FBI field offices across the country and law enforcement partners around the world to offer over hundreds of affected victims the capability to restore their systems.

Aftermath of Blackcat’s Actions

The cybersecurity industry has seen the aftermath of the Blackcat actors’ infiltration and compromise of computer networks in the United States and worldwide. Critical infrastructure – including government facilities, emergency services, defense industrial base companies, critical manufacturing, and health care and public health facilities as well as other corporations, government entities, and schools have been disrupted amounting to losses in the hundreds of millions.

The FBI Miami Field Office is leading the investigation with cooperation from Germany’s Bundeskriminalamt and Zentrale Kriminalinspektion Göttingen, Denmark’s Special Crime Unit, and Europol, the U.S. Secret Service, the U.S. Attorney’s Office for the Eastern District of Virginia, the Justice Department’s Office of International Affairs and the Cyber Operations International Liaison, and the following foreign law enforcement authorities: the Australian Federal Police, the United Kingdom’s National Crime Agency and Eastern Region Special Operations Unit, Spain’s Policia Nacional, Switzerland’s Kantonspolizei Thurgau, and Austria’s Directorate State Protection and Intelligence Service.

Resources for Victims

Victims of Blackcat ransomware are strongly encouraged to contact their local FBI field office using their Field Offices locator for further information and to determine what assistance may be available. “Some of the AlphV affiliates are still active however, including UNC3944 (Scattered Spider). We expect some affiliates will continue their intrusions as normal, but they will likely try to establish relationships with other RaaS programs for encryption, extortion, and victim shaming support,” says Charles Carmakal, Mandiant Consulting CTO, Google Cloud.

Closing

Nonetheless, this is a huge win. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online,” ​​Deputy Attorney General Lisa Monaco said in a statement.

Our Data Privacy & Cybersecurity Team will continue to follow the case and report more breaking news as it becomes available.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.