FBI: ALPHV ransomware raked in $300 million from over 1,000 victims

The ALPHV/BlackCat ransomware gang has made over $300 million in ransom payments from more than 1,000 victims worldwide as of September 2023, according to the Federal Bureau of Investigation (FBI).

"ALPHV Blackcat affiliates have extensive networks and experience with ransomware and data extortion operations," the FBI says.

"According to the FBI, as of September 2023, ALPHV Blackcat affiliates have compromised over 1000 entities—nearly 75 percent of which are in the United States and approximately 250 outside the United States—, demanded over $500 million, and received nearly $300 million in ransom payments."

In the joint advisory published on December 19, in collaboration with CISA, the FBI also shared mitigation measures to help network defenders and critical infrastructure organizations reduce the impact and risks associated with this ransomware group's attacks.

The two agencies also provided ALPHV IOCs (indicators of compromise) and TTPs (tactics, techniques, and procedures) identified by the FBI as recently as December 6.

Network defenders are strongly encouraged to prioritize patching vulnerabilities exploited in the wild and to enforce multifactor authentication (MFA) with strong passwords across all services, especially for webmail, VPN, and accounts linked to critical systems.

Furthermore, they should regularly update and patch software to the latest versions and focus on vulnerability assessments as integral components of standard security protocols.

BlackCat/ALPHV surfaced more than two years ago, in November 2021, and is suspected to be a rebrand of the notorious DarkSide and BlackMatter ransomware operation.

Originally known as DarkSide, this group gained worldwide notoriety following its attack on Colonial Pipeline, leading to extensive investigations by law enforcement agencies.

The FBI previously linked this ransomware gang to over 60 breaches impacting organizations worldwide in the first four months of activity, from November 2021 through March 2022.

FBI disrupts Blackcat, develops decryption tool

On December 7, BleepingComputer first reported that ALPHV dark web sites, including the gang's Tor negotiation and data leak websites, suddenly stopped working.

On December 19, the Department of Justice confirmed our reporting, saying that the FBI breached the ALPHV ransomware operation's servers, successfully monitoring their activities and obtaining decryption keys.

To access ALPHV's backend affiliate panel, the FBI engaged with a confidential human source (CHS) who was provided with login credentials as an affiliate after an interview with the ransomware operators.

ALPHV BlackCat seizure banner (BleepingComputer)