FBI warrant reveals ‘confidential source’ helped AlphV/Blackcat ransomware takedown

An FBI search warrant unsealed Tuesday in the Southern District of Florida revealed that the FBI had help from a “confidential human source” in penetrating the AlphV/Blackcat ransomware gang’s network.

Targeted darknet websites used by the cybercriminals were replaced by a splashpage on Tuesday, announcing they had been seized as part of a coordinated international law enforcement action.

In an announcement following the upload of the splashpage, the U.S. Department of Justice revealed that the FBI had developed a decryption tool for the ransomware that has been offered to more than 500 victims globally to allow them to restore their encrypted systems.

The tool has saved “multiple victims from ransom demands totaling approximately $68 million,” according to the DoJ, which described AlphV/Blackcat as “the second most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world.”

Alongside encrypting victim’s computer networks, the criminals also exfiltrate data from the target networks and subsequently publish it online in a secondary extortion bid. In an unusual incident in November, the gang even reported one of its victims to a regulator to increase the pressure on the victim.

Alongside the DoJ announcement, Lisa Monaco, the Deputy Attorney General, said: “In disrupting the Blackcat ransomware group, the Justice Department has once again hacked the hackers,” referencing the agency’s takedown of the Hive ransomware gang.

“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime,” Monaco added.

Confidential sourcing

The unsealed warrant does not detail the full extent of the FBI investigation into the ransomware gang, but reveals that as part of it the agency brought in a confidential human source “who routinely provides reliable information related to ongoing cybercrime investigations.”

The source was able to help by responding to a public advertisement the ransomware gang had posted for potential affiliates, and — after being interviewed by the criminals to determine their “technical proficiency with network intrusion” — was given access credentials for the Blackcat’s affiliate system using a unique .onion address.

Law enforcement was subsequently able to access the affiliate panel itself, pursuant to a separate federal search warrant, where they investigated how the system operated.

“Affiliates use the panel to manage each ransomware attack on a victim throughout the attack lifecycle, from ransomware deployment through payment and decryption of victim data,” the warrant explained.

The search warrant does not make clear how, but says “law enforcement gained visibility into the Blackcat Ransomware Group’s network.”

As a result, the FBI was also able to identify and collect 946 public/private key pairs that the ransomware group used to operate its various Tor sites, including affiliate panels, leak sites, and sites for victim communications.

The search warrant, which was certified last week on December 11, allowed the FBI to use these key pairs to seize the “Blackcat-linked victim communications sites, leak sites, and panel sites” hosted on the Tor network.

“These actions are not the culmination of our efforts, they are just the beginning,” said Acting Assistant Attorney General Nicole Argentieri of the DoJ’s criminal division.

“Criminal actors should be aware that the announcement today is just one part of this ongoing effort. Going forward, we will continue our investigation and pursue those behind Blackcat until they are brought to justice.”

AlphV/Blackcat “has targeted the computer networks of more than 1,000 victims and caused harm around the world since its inception, including networks that support U.S. critical infrastructure,” the DoJ announced.

It has caused disruption to critical infrastructure in the U.S., “including government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities – as well as other corporations, government entities, and schools,” said the DoJ.

The department estimated the gang had caused hundreds of millions in losses globally when accounting for “ransom payments, destruction and theft of proprietary data, and costs associated with incident response.”