An international group of law enforcement agencies has seized the dark web leak site of the notorious ransomware gang known as ALPHV, or BlackCat.
“The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against ALPHV Blackcat Ransomware,” a message on the gang’s dark web leak site now reads, seen by TechCrunch.
According to the splash, the takedown operation also involved law enforcement agencies from the United Kingdom, Denmark, Germany, Spain and Australia.
In a later announcement confirming the disruption, the U.S. Department of Justice said that the international takedown effort, led by the FBI, enabled U.S. authorities to gain visibility into the ransomware group’s computer to seize “several websites” that ALPHV operated.
The FBI also released a decryption tool that has already enabled more than 500 ALPHV ransomware victims to restore their systems. (The government’s search warrant puts the number at 400 victims.) The FBI said it worked with dozens of victims in the United States, saving them from paying ransom demands totaling approximately $68 million.
The government’s announcement says ALPHV compromised the networks of more than 1,000 victims globally to earn hundreds of millions of dollars. The gang has targeted U.S. critical infrastructure, including government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities — as well as other corporations, schools and government entities, according to the DOJ.
According to the government’s search warrant, the FBI said it engaged with a “confidential human source” close to the ransomware gang, who provided agents with credentials to access ALPHV/BlackCat’s affiliate panel used for managing the gang’s victims.
The Department of State previously said it will reward people with information “about Blackcat, their affiliates, or activities.”
“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” said U.S. deputy attorney general Lisa Monaco in remarks. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and healthcare and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”
Spokespeople for the FBI and the U.K.’s National Crime Agency did not respond to TechCrunch’s requests for comment.
Europol spokesperson Ina Mihaylova confirmed the agency’s involvement in the operation, but declined to comment further.
The ALPHV/BlackCat ransomware gang has been one of the most active and destructive in recent years. Believed to be a successor to the now-defunct sanctioned REvil hacking group, ALPHV claims to have compromised a number of high-profile victims, including news-sharing site Reddit, healthcare company Norton and the U.K.’s Barts Health NHS Trust.
In recent months, the group’s tactics have become increasingly aggressive. In November, the ALPHV filed a first-of-its-kind complaint with the U.S. Securities and Exchange Commission (SEC), alleging that digital lending provider MeridianLink failed to disclose what the gang called “a significant breach compromising customer data and operational information,” for which the gang took credit.
Updated with comment from Europol and additional details from the DOJ.