The U.S. Federal Bureau of Investigation (FBI) disclosed today that it infiltrated the worldβs second most prolific ransomware gang, a Russia-based criminal group known as ALPHV and BlackCat. The FBI said it seized the gangβs darknet website, and released a decryption tool that hundreds of victim companies can use to recover systems. Meanwhile, BlackCat responded by briefly βunseizingβ its darknet site with a message promising 90 percent commissions for affiliates who continue to work with the crime group, and open season on everything from hospitals to nuclear power plants.
A slightly modified version of the FBI seizure notice on the BlackCat darknet site (Santa caps added).
Whispers of a possible law enforcement action against BlackCat came in the first week of December, after the ransomware groupβs darknet site went offline and remained unavailable for roughly five days. BlackCat eventually managed to bring its site back online, blaming the outage on equipment malfunctions.
But earlier today, the BlackCat website was replaced with an FBI seizure notice, while federal prosecutors in Florida released a search warrant explaining how FBI agents were able to gain access to and disrupt the groupβs operations.
A statement on the operation from the U.S. Department of Justice says the FBI developed a decryption tool that allowed agency field offices and partners globally to offer more than 500 affected victims the ability to restore their systems.
βWith a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online,β Deputy Attorney General Lisa O. Monaco said. βWe will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.β
The DOJ reports that since BlackCatβs formation roughly 18 months ago, the crime group has targeted the computer networks of more than 1,000 victim organizations. BlackCat attacks usually involve encryption and theft of data; if victims refuse to pay a ransom, the attackers typically publish the stolen data on a BlackCat-linked darknet site.
BlackCat formed by recruiting operators from several competing or disbanded ransomware organizations β including REvil,Β BlackMatterΒ andΒ DarkSide. The latter group was responsible for the Colonial Pipeline attack in May 2021 that caused nationwide fuel shortages and price spikes.
Like many other ransomware operations, BlackCat operates under the βransomware-as-a-serviceβ model, where teams of developers maintain and update the ransomware code, as well as all of its supporting infrastructure. Affiliates are incentivized to attack high-value targets because they generally reap 60-80 percent of any payouts, with the remainder going to the crooks running the ransomware operation.
BlackCat was able to briefly regain control over their darknet server today. Not long after the FBIβs seizure notice went live the homepage was βunseizedβ and retrofitted with a statement about the incident from the ransomware groupβs perspective.
The message that was briefly on the homepage of the BlackCat ransomware group this morning. Image: @GossiTheDog.
BlackCat claimed that the FBIβs operation only touched a portion of its operations, and that as a result of the FBIβs actions an additional 3,000 victims will no longer have the option of receiving decryption keys. The group also said it was formally removing any restrictions or discouragement against targeting hospitals or other critical infrastructure.
βBecause of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS [a common restriction against attacking organizations in Russia or the Commonwealth of Independent States]. You can now block hospitals, nuclear power plants, anything, anywhere.β
The crime group also said it was setting affiliate commissions at 90 percent, presumably to attract interest from potential affiliates who might otherwise be spooked by the FBIβs recent infiltration. BlackCat also promised that all βadvertisersβ under this new scheme would manage their affiliate accounts from data centers that are completely isolated from each other.
BlackCatβs darknet site currently displays the FBI seizure notice. But as BleepingComputer founder Lawrence Abrams explained on Mastodon, both the FBI and BlackCat have the private keys associated with the Tor hidden service URL for BlackCatβs victim shaming and data leak site.
βWhoever is the latest to publish the hidden service on Tor (in this case the BlackCat data leak site), will resume control over the URL,β Abrams said. βExpect to see this type of back and forth over the next couple of days.β
The DOJ says anyone with information about BlackCat affiliates or their activities may be eligible for up to a $10 million reward through the State Departmentβs βRewards for Justiceβ program, which accepts submissions through a Tor-based tip line (visiting the site is only possible using the Tor browser).
Further reading: CISA StopRansomware Alert on the tools, techniques and procedures used by ALPHV/BlackCat.
The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known βzero-dayβ threats targeting any of the vulnerabilities in Decemberβs patch batch. Still, four of the updates pushed out today address βcriticalβ vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.
Among the critical bugs quashed this month is CVE-2023-35628, a weakness present in Windows 10 and later versions, as well as Microsoft Server 2008 and later. Kevin Breen, senior director of threat research at Immersive Labs, said the flaw affects MSHTML, a core component of Windows that is used to render browser-based content. Breen notes that MSHTML also can be found in a number of Microsoft applications, including Office, Outlook, Skype and Teams.
βIn the worst-case scenario, Microsoft suggests that simply receiving an email would be enough to trigger the vulnerability and give an attacker code execution on the target machine without any user interaction like opening or interacting with the contents,β Breen said.
Another critical flaw that probably deserves priority patching is CVE-2023-35641, a remote code execution weakness in a built-in Windows feature called the Internet Connection Sharing (ICS) service that lets multiple devices share an Internet connection. While CVE-2023-35641 earned a high vulnerability severity score (a CVSS rating of 8.8), the threat from this flaw may be limited somewhat because an attacker would need to be on the same network as the target. Also, while ICS is present in all versions of Windows since Windows 7, it is not on by default (although some applications may turn it on).
Satnam Narang, senior staff research engineer at Tenable, notes that a number of the non-critical patches released today were identified by Microsoft as βmore likely to be exploited.β For example, CVE-2023-35636, which Microsoft says is an information disclosure vulnerability in Outlook. An attacker could exploit this flaw by convincing a potential victim to open a specially crafted file delivered via email or hosted on a malicious website.
Narang said what makes this one stand out is that exploitation of this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay or βpass the hashβ attack, which lets an attacker masquerade as a legitimate user without ever having to log in.
βIt is reminiscent of CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook that was exploited in the wild as a zero day and patched in the March 2023 Patch Tuesday release,β Narang said. βHowever, unlike CVE-2023-23397, CVE-2023-35636 is not exploitable via Microsoftβs Preview Pane, which lowers the severity of this flaw.β
As usual, the SANS Internet Storm Center has a good roundup on all of the patches released today and indexed by severity. Windows users, please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.