Experts warn of ransomware retaliation following FBI disruption to BlackCat operations

Critical national infrastructure is now in the ransomware crosshairs as BlackCat retaliates against a major FBI and Europol operation. One that saw control of the group’s “dark web” site seized.

The Russian-speaking BlackCat (aka ALPHV) criminal enterprise was behind ransomware attacks against corporate giants, including MGM Resorts International and Western Digital. And this week, international law enforcement hit back.

With ALPHV/BlackCat thought to be responsible for around 9% of global ransomware attacks across the year, the impact of the FBI-led disruption operation should not be underestimated.

How the FBI attacked BlackCat

Likely via infiltration of the ransomware group, the FBI and associates gained access to 946 private keys for dark web Tor sites. BlackCat used these sites as “control panels” for affiliate ransomware partners, communication with victims and its now infamous data leak site.

With both BlackCat and the Feds having access to the keys, either party could, and did for 48 hours, take control of those sites.

ALPHV operators have already created an alternative domain, but now need to build confidence with their affiliates. That is, the people responsible for the donkey work of ransomware attacks.

The first step is to offer a flat 90% of collected ransoms as reward. But, crucially from everyone else’s point of view, the ransomware group has also removed restrictions on target acquisition. This could mean critical national infrastructure, including hospitals and energy supply lines, become targets in the coming weeks.

Body blow to BlackCat but no ransomware knockout

Michael McPherson, former FBI Special Agent and current Senior Vice President of Technical Operations at ReliaQuest, said that this operation will “serve as a body blow to the ransomware ecosystem, but it is by no means a knockout punch”.

There will, no doubt, be a ripple of upheaval that spreads beyond ALPHV to other criminal groups. LockBit, for example, has already started advertising within underground forums in an attempt to lure affiliates from the BlackCat organisation.

Although there have been no arrests to date, McPherson predicts this will “spell the end of ALPHV as a criminal outfit”.

It’s not unusual, following such law enforcement action, for groups to disband with some members joining existing rivals and others starting afresh. “Such disruption is great to see, and we all hope this imposition of cost upon current and budding ransomware operators will continue,” says Tim West, Head of Cyber Threat Intelligence at WithSecure.

However, Dr Ilia Kolochenko, CEO at ImmuniWeb and an Adjunct Professor of Cybersecurity and Cyber Law at Capital Technology University, warns that “while somewhat utopic, unless nation-states manage to hammer out a truly global convention against cybercrime that would be ratified by all UN member states, the battle against organised cybercrime will be like fighting an immortal hydra”.