AFP Helps Out In BlackCat Ransomware Gang Disruption

0
Written by staff writer.

The Australian Federal Police (AFP) has helped shut down extortion websites controlled by the BlackCat, severely disrupting the ransomware group’s operations. The agency said on December 20, 2023, that they had provided significant intelligence and data to the international investigation into the group.

“This ransomware group first came to law enforcement attention in 2021 and has had a significant impact on the Australian community and entities around the world,” said AFP Assistant Commissioner Scott Lee.

BlackCat, also known as ALPHV and Noberus, is believed to be Russia-based and is (or was) the world’s second most prolific ransomware as a service (RaaS) provider, providing their malware and services to other threat actors in return for a slice of the ransom payments. Lee says the AFP has identified 56 ransomware government and corporate targets in Australia and is providing a decryption key where possible.

The Federal Bureau of Investigation (FBI) gets the kudos for developing that decryption key, which has since been provided to 400 ransomware targets worldwide, invalidating USD68 million worth of ransom demands.

“The unlawful activity by BlackCat had a severe impact on Australian businesses, many of which remain without access to some key systems,” said Lee. “The AFP has worked closely with our Five Eyes Law Enforcement Group partner, the FBI, to ensure action was taken on behalf of Australian businesses. Outcomes like this would not be possible without the ability of the AFP to engage with law enforcement around the world and coordinate responses.”

The 18-month investigation culminated on December 19 when the FBI took control of BlackCat websites. Aside from the AFP and FBI, the multijurisdictional investigation included Germany’s Bundeskriminalamt and Zentrale Kriminalinspektion Göttingen, Denmark’s Special Crime Unit, Europol, the UK’s National Crime Agency and Eastern Region Special Operations Unit, Spain’s Policia Nacional, Switzerland’s Kantonspolizei Thurgau, and Austria’s Directorate State Protection and Intelligence Service. In their statement on the matter, the US Department of Justice, which is responsible for the FBI, acknowledged the contribution of their international partners.

Active worldwide, BlackCat raised the ire of US authorities when its malware was used in the notorious Colonial Pipeline ransomware attack in 2021, disrupting gas supplies and underscoring the vulnerability of critical infrastructure to cyberattacks. BlackCat RaaS target entities have ranged across the healthcare, defence, manufacturing, education, and government sectors. In October 2023, MGM Resorts reported that a ransomware attack deploying BlackCat malware had cost it USD100 million in foregone revenues while its systems were down.

In Australia, hackers used BlackCat-developed malware to attack the HWL Ebsworth law firm. That entity, which includes government agencies and bluechip corporates as among its clients, lost around four terabytes of data and sustained significant reputational damage. BlackCat later posted a statement on one of their websites, taking responsibility for the attack.

While the average BlackCat ransom demand is around USD5 million, the AFP says the group has been behind global financial losses running into the hundreds of millions of dollars. That includes ransom payments, destruction and theft of proprietary data, and costs associated with incident response. Lee says ransomware attacks cause around AUD3 billion in damages to the Australian economy annually.

Share.