The U.S. Justice Department (DoJ) has officially dismantled the BlackCat ransomware operation, providing a decryption tool to over 500 affected victims to regain access to their encrypted files. The U.S. Federal Bureau of Investigation (FBI) collaborated with global law enforcement agencies to thwart the ransomware group.

BlackCat, also known as ALPHV, GOLD BLAZER, and Noberus, rose to prominence in December 2021 as the second most prolific ransomware-as-a-service variant globally. It marks the first ransomware strain developed in the Rust programming language.

Court documents reveal that the FBI utilized a confidential human source (CHS) to act as an affiliate, gaining access to the gang’s web panel and hacking the hackers. The joint efforts of law enforcement from the U.S., Germany, Denmark, Australia, the U.K., Spain, Switzerland, and Austria contributed to the operation’s success.

The FBI, working closely with U.S. victims, implemented a decryptor, saving them from approximately $68 million in ransom demands. Additionally, the agency gained insight into BlackCat’s network, collecting 946 public/private key pairs used to host TOR sites operated by the group.

BlackCat follows the ransomware-as-a-service model, involving core developers and affiliates who rent the payload. The group employs a double extortion scheme, exfiltrating data before encrypting files to pressure victims into paying.

The operation estimates that BlackCat compromised over 1,000 victims worldwide, accumulating nearly $300 million in illegal revenues by September 2023.

The disruption has created opportunities for rival groups like LockBit, actively recruiting displaced affiliates and offering its data leak site for victim negotiations. BlackCat has responded by moving servers and blogs, and its newest leak website remains operational. However, law enforcement has seized the main leak site, leading to threats from BlackCat against critical infrastructure entities.

The impact of the disruption remains uncertain, with potential shifts in the ransomware landscape and the likelihood of affiliates joining other operators. Law enforcement interventions may foster distrust and paranoia among ransomware group members and affiliates.

Note: The story was updated to include additional information about the infrastructure seizure after publication.