The Alphv/BlackCat ransomware gang shows its teeth. The seizure of their Tor site by the FBI last Tuesday was followed by a skirmish between cybercriminals and the legal authorities. As noted by security researchers at VX Undergroundthe gang briefly managed to regain control of its domain at least twice.
Cybercriminals took advantage of this to play the escalation game. “We are removing all rules, except one”, attacking organizations based in the Commonwealth of Independent States (CIS), which brings together part of the former Soviet republics. “You can now block hospitals or nuclear power plants, anything, anywhere,” they threaten.
Second franchise
Alphv/BlackCat was considered by the US Department of Justice to be the second most active ransomware franchise at the time. With a thousand victims, three-quarters in the United States, but still with a few French victims, including Corsica Ferries, Mazars Group or the electronics company Lacroix Electronics, this gang of cybercriminals would have succeeded in collecting around 300 million dollars in ransoms.
However, FBI agents in Miami, in charge of the investigation in the United States, have repeatedly pulled the rug out from under the feet of cybercriminals.
Thanks to the development of a decryption tool, now accessible to half of the gang’s victims, they were able to help around ten victims restore their data, avoiding the payment of $68 million in ransoms.
Double extortion
Quite typically, Alphv/BlackCat cybercriminals practiced double extortion. In addition to data encryption, they threatened their victims with publishing the stolen files on their website. Their ransomware was distinguished in particular by the programming language used, Rust, a malicious tool which targeted both Windows and Linux systems.
The gang had also recently made a brazen report to the American financial markets regulator to complain about one of their victims who had not respected the deadline for notifying a computer attack.
The seizure of the cybercriminals’ website mobilized, in addition to the FBI, Germany, Australia, Denmark, Spain and the United Kingdom. This international operation was boosted by a confidential source close to the gang, according to the American search warrant. The latter thus provided tips to access the administration panel accessible to affiliates, these franchisees who use the criminal infrastructure to launch extortion operations.