U.S. law enforcement agencies said they shut down the online operations of the notorious Russia-linked BlackCat ransomware-as-a-service (RaaS) group and developed a decryption tool that will help more than 500 victims regain access to their encrypted data files.

However, the threat group – also known as ALPHV – responded soon after with what its operators called an “unseizing” of its leak site and promises to ramp up its activity, including offering affiliates that continue to use its ransomware a 90% commission and opening up hospitals and nuclear power plants to attacks.

The operation by the FBI and Justice Department (DOJ) against BlackCat is the latest in a series of initiatives by the U.S. government designed to stem the growing tide of ransomware and other attacks by shutting down the threat groups’ operations. In January, the DOJ announced it had penetrated the servers of the Hive ransomware group and offered decryption keys to victims.

The DOJ and FBI said in August that it took down the infrastructure of the QakBot phishing group. However, despite the operation, QakBot’s tactics are still being used by such groups as DarkGate and PikaBot.

All this comes as ransomware groups continue to roll up targets. According to Statista, almost 73% of companies worldwide have been victims of ransomware attacks this year, a steady increase from 62.4% in 2020.

More Than 1,000 Victims

According to the DOJ, the BlackCat group since late 2021 has racked up more than 1,000 victims – including critical infrastructure entities, schools, financial firms, and healthcare organizations – and over the last 18 months had become the second most prolific RaaS operation in the world, collecting hundreds of millions of dollars in paid ransoms. Given the group’s reach, the DOJ said law enforcement agencies in other countries are running investigations parallel to the one in the United States.

The FBI developed the decryption tool that can be used by some of the victims to restore their systems, saving many of them from paying more than $68 million in ransoms.

“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online,” Deputy Attorney General Lisa Monaco said in a statement. “We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”

Cybersecurity expert Brian Krebs noted that BlackCat was formed by recruiting former members of high-profile competing or disbanded ransomware groups, including REvil, BlackMatter, and DarkSide, which was being the massive attack on software maker SolarWinds in 2020.

A Double-Extortion Threat

BlackCat runs double-extortion attacks, stealing victims’ data before encrypting the files and threatening to leak the stolen data if the ransom isn’t paid, with ransoms being paid in cryptocurrency.

According to a search warrant application by the FBI, the threat group runs a primary leak site and multiple other addresses on the Tor network. In addition, it also operates Tor-based “panels” that allow the ransomware operators and their affiliates to communicate and coordinate attacks.

The FBI said it developed a source who gave agents access to the panels. The source had answered an ad for BlackCat affiliates and interviewed with a member of BlackCat, who subsequently gave them credentials for the panels. Using the credentials, FBI agents were able to get a clearer picture of BlackCat’s operations.

During the investigation, the FBI collected 946 public-private key pairs, saving them to a flash drive.

BlackCat: More Attacks on the Way

Despite the investigation and the DOJ’s seizure of its online operation, the BlackCat members are fighting back. As noted by Krebs, people on Tuesday who went to BlackCat’s leak site were greeted by a notice that the website had been seized, complete with the emblems of the FBI and DOJ topped by Santa hats.

Krebs wrote the cybercrime gang was able to “briefly regain control” over their darknet server, enough time to post a statement that includes the threats of more attacks and the promise of a greater financial return for affiliates that stuck with it.

The group said the DOJ was able to gain control of one of its data centers, but added that there are more still operating. BlackCat added that law enforcement was able to get the decryption keys for the most recent attacks, which added up to about 400 victims. However, that left about 3,000 others companies that “will never receive their keys.”

While opening up hospitals and nuclear power plants for attacks by affiliates, the group stipulated that the ban on attacks on CIS members was still in place. CIS is a regional organization that came into being after the dissolution of the Soviet Union in 1991 and includes such countries as Russia, Belarus, and Armenia. Ukraine was an initial member but later pulled out.

Early Signs

The DOJ’s announcement this week came after reports surfaced earlier this month that BlackCat’s dark web site went dark, setting off speculation that law enforcement agencies had shut it down. It came back online a few days later, with the threat group claiming the blackout was due to a hardware failure, though the vx-underground cybersecurity group at the time said on X (nee Twitter) that the claim was doubtful.

Vx-underground also showed that law enforcement actions like the one against BlackCat get the attention of other ransomware operators. In a back-and-forth on X with vx-underground, the operators behind the LockBit RaaS operation wrote that the situation with BlackCat “is unfortunate for my competitors, and the FBI certainly poses a threat to me.”