Login
Two British teens who were members of the Lapsus$ gang have been sentenced for their roles in a cyber-crime spree that included compromising Uber, Nvidia, and fintech firm Revolut, and also blackmailing Grand Theft Auto maker Rockstar Games.β¦
Security vendor Sonatype believes developers are failing to address the critical remote code execution (RCE) vulnerability in the Apache Struts 2 framework, based on recent downloads of the code.β¦
Mozilla last week revised its position on a web security technology called Trusted Types, which it has decided to implement in its Firefox browser.β¦
NASA's Office of Inspector General has run its eye over the aerospace agency's privacy regime and found plenty to like β but improvements are needed.β¦
IBM Security has dissected some JavaScript code that was injected into people's online banking pages to steal their login credentials, saying 50,000 user sessions with more than 40 banks worldwide were compromised by the malicious software in 2023.β¦
Cybercriminals are preying on the inherent helpfulness of hotel staff during the sector's busy holiday season.β¦
Updated Greater Manchester Police (GMP) must clear the backlog of hundreds of Freedom of Information (FOI) Act requests β some years old β or find itself in contempt of court.β¦
A vulnerability in the SSH protocol can be exploited by a well-placed adversary to weaken the security of people's connections, if conditions are right.β¦
A transnational police operation has resulted in the arrest of 3,500 alleged cybercriminals and the seizure of $300 million in cash and digital assets.β¦
The U.S. Federal Bureau of Investigation (FBI) disclosed today that it infiltrated the worldβs second most prolific ransomware gang, a Russia-based criminal group known as ALPHV and BlackCat. The FBI said it seized the gangβs darknet website, and released a decryption tool that hundreds of victim companies can use to recover systems. Meanwhile, BlackCat responded by briefly βunseizingβ its darknet site with a message promising 90 percent commissions for affiliates who continue to work with the crime group, and open season on everything from hospitals to nuclear power plants.
A slightly modified version of the FBI seizure notice on the BlackCat darknet site (Santa caps added).
Whispers of a possible law enforcement action against BlackCat came in the first week of December, after the ransomware groupβs darknet site went offline and remained unavailable for roughly five days. BlackCat eventually managed to bring its site back online, blaming the outage on equipment malfunctions.
But earlier today, the BlackCat website was replaced with an FBI seizure notice, while federal prosecutors in Florida released a search warrant explaining how FBI agents were able to gain access to and disrupt the groupβs operations.
A statement on the operation from the U.S. Department of Justice says the FBI developed a decryption tool that allowed agency field offices and partners globally to offer more than 500 affected victims the ability to restore their systems.
βWith a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online,β Deputy Attorney General Lisa O. Monaco said. βWe will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.β
The DOJ reports that since BlackCatβs formation roughly 18 months ago, the crime group has targeted the computer networks of more than 1,000 victim organizations. BlackCat attacks usually involve encryption and theft of data; if victims refuse to pay a ransom, the attackers typically publish the stolen data on a BlackCat-linked darknet site.
BlackCat formed by recruiting operators from several competing or disbanded ransomware organizations β including REvil,Β BlackMatterΒ andΒ DarkSide. The latter group was responsible for the Colonial Pipeline attack in May 2021 that caused nationwide fuel shortages and price spikes.
Like many other ransomware operations, BlackCat operates under the βransomware-as-a-serviceβ model, where teams of developers maintain and update the ransomware code, as well as all of its supporting infrastructure. Affiliates are incentivized to attack high-value targets because they generally reap 60-80 percent of any payouts, with the remainder going to the crooks running the ransomware operation.
BlackCat was able to briefly regain control over their darknet server today. Not long after the FBIβs seizure notice went live the homepage was βunseizedβ and retrofitted with a statement about the incident from the ransomware groupβs perspective.
The message that was briefly on the homepage of the BlackCat ransomware group this morning. Image: @GossiTheDog.
BlackCat claimed that the FBIβs operation only touched a portion of its operations, and that as a result of the FBIβs actions an additional 3,000 victims will no longer have the option of receiving decryption keys. The group also said it was formally removing any restrictions or discouragement against targeting hospitals or other critical infrastructure.
βBecause of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS [a common restriction against attacking organizations in Russia or the Commonwealth of Independent States]. You can now block hospitals, nuclear power plants, anything, anywhere.β
The crime group also said it was setting affiliate commissions at 90 percent, presumably to attract interest from potential affiliates who might otherwise be spooked by the FBIβs recent infiltration. BlackCat also promised that all βadvertisersβ under this new scheme would manage their affiliate accounts from data centers that are completely isolated from each other.
BlackCatβs darknet site currently displays the FBI seizure notice. But as BleepingComputer founder Lawrence Abrams explained on Mastodon, both the FBI and BlackCat have the private keys associated with the Tor hidden service URL for BlackCatβs victim shaming and data leak site.
βWhoever is the latest to publish the hidden service on Tor (in this case the BlackCat data leak site), will resume control over the URL,β Abrams said. βExpect to see this type of back and forth over the next couple of days.β
The DOJ says anyone with information about BlackCat affiliates or their activities may be eligible for up to a $10 million reward through the State Departmentβs βRewards for Justiceβ program, which accepts submissions through a Tor-based tip line (visiting the site is only possible using the Tor browser).
Further reading: CISA StopRansomware Alert on the tools, techniques and procedures used by ALPHV/BlackCat.
Millions of Comcast Xfinity subscribers' personal data β including potentially their usernames, hashed passwords, contact details, and secret security question-answers β was likely stolen by one or more miscreants exploiting Citrix Bleed in October.β¦
Four vulnerabilities in Perforce Helix Core Server, including one critical remote code execution bug, should be patched "immediately," according to Microsoft, which spotted the flaws and disclosed them to the software vendor.β¦
Updated The FBI created a decryption tool for the ransomware used by the gang known as BlackCat and/or AlphV, as part of a wider disruption campaign against the extortionists.β¦
FreshRSS 