Feds disrupt major ransomware group targeting schools, law firms, hospitals

The U.S. Department of Justice has disrupted a major ransomware group — and enabled some people to restore their systems — with South Florida playing a central role in the cybercrime investigation, authorities said.

The FBI this month seized several websites operated by the Blackcat ransomware group, launched a disruption campaign, and “gained visibility” into the group’s computer network, according to an affidavit supporting a search warrant unsealed Tuesday in the Southern District of Florida.

The FBI developed a decryption tool that allowed its field offices nationwide and international law enforcement partners to offer more than 500 affected victims the capability to restore their computer systems, the Justice Department said. To date, the FBI has saved victims from ransom demands totaling approximately $68 million.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” said Deputy Attorney General Lisa Monaco in a statement Tuesday.

The FBI Miami Field Office is leading the investigation and the case involves federal prosecutors in Miami.

The Blackcat ransomware group is also known as ALPHV or Noberus. Ransomware is malicious software that denies individuals access to computer systems until one pays a ransom. Typically, cybercriminals encrypt an individual’s computer and then demand a ransom before decrypting it. Payment is usually requested in cryptocurrency and to addresses controlled by the criminals.

“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online,” she noted. “We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”

Over the past 18 months, ALPHV/Blackcat has become the second most prolific ransomware in the world based on the hundreds of millions of dollars in ransom paid by victims, the Justice Department said. It said the Blackcat ransomware group has targeted the computer networks of more than 1,000 victims.

Details are sparse as the investigation is ongoing but BlackCat claimed a role in the cyberattacks earlier this year on MGM Entertainment and Caesar’s Palace in Las Vegas.

In the unsealed affidavit in support of the search warrant, Justice officials said that beginning in or around December 2021 and continuing through the present, cybercriminals deployed the Blackcat ransomware against critical infrastructure, medical facilities, school districts, law firms and financial firms around the world, including in South Florida.

The Blackcat group uses a RaaS model.. Raas stands for Ransomware-as-a-service and means that developers are responsible for creating and updating the ransomware and maintaining the Internet infrastructure permitting the illicit activities.

The group also uses Tor, a free and open-source software permitting anonymous communication, to hide entire websites.

When the attackers encrypt the victim’s computer, the latter typically gets a ransom note with a unique Tor .onion address through which to communicate with the Blackcat Ransomware Group. It also mentions a site with a Tor address it will leak the individual’s data to if no ransom is paid.

Judge Patrick M. Hunt in Fort Lauderdale signed off on the warrant on Dec. 11. The following day, the warrant was executed.

During the search, law enforcement gained visibility into the Blackcat Ransomware Group’s network, according to court documents.. As a result, the FBI identified and collected 946 public/private key pairs for Tor sites that the Blackcat Ransomware Group used.

Victims of Blackcat ransomware are being asked by the FBI to contact their local field office for further information.