FBI: 60 organizations worldwide hit with BlackCat/ALPHV ransomware
Jonathan Greig April 21, 2022

FBI: 60 organizations worldwide hit with BlackCat/ALPHV ransomware

FBI: 60 organizations worldwide hit with BlackCat/ALPHV ransomware

An FBI alert released this week indicates that the law enforcement organization has tracked at least 60 ransomware attacks by the BlackCat (ALPHV) group as of March. 

The white notice also says BlackCat is the first ransomware group to attack this many victims successfully using RUST, a programming language that many consider to be more secure than others. 

“BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount,” the FBI said. 

“Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.”

The group typically uses previously compromised user credentials to gain initial access to the victim system before compromising Active Directory user and administrator accounts after establishing access, according to the FBI notice.

The malware “also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise” while stealing victim data. 

In recent weeks, the group has taken credit for ransomware attacks on US schools like Florida International University and North Carolina A&T University. The group emerged late last year and became known for aggressively posting details about its victims publicly.

Emsisoft threat analyst Brett Callow and others previously said the group is a rebrand of the BlackMatter and DarkSide ransomware groups, something the FBI notice also highlights.

The group has so far been implicated in attacks on two German oil companies and Italian fashion brand Moncler

A representative of the group spoke to The Record in February, claiming that most of the major ransomware groups are somewhat connected because of how they operate. 

“There is no rebranding or a mix of talents because we have no direct relation to these partnership programs,” the representative said. “Let’s just say: ‘We borrowed their advantages and eliminated their disadvantages.’”

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.