US Offers $10M for Info on BlackCat/ALPHV Ransomware Leaders – Source: securityboulevard.com

A week after offering a $10 million reward for information about the leaders of the Hive ransomware group, the U.S. government is turning its attention – and financial power – to the notorious Russia-linked BlackCat gang.

The State Department this week announced a reward of up to $10 million for information that leads to the identification or location of any of the leaders of the ransomware-as-a-service (RaaS) group and another reward of up to $5 million for information that results in the arrest or conviction of individuals who participated or tried to participate in a ransomware attack using the BlackCat variant.

The reward comes fewer than two months after the U.S. Justice Department (DOJ) and FBI said they had shut down the group’s online operations and developed a decryption tool that could help as many as 500 victims regain access to their encrypted data. The State Department said that distributing the decryption tool to victims and enabling them to restore their systems saved them from paying out about $99 million in ransoms.

The rewards are being offered through the U.S. Transnational Organized Crime Rewards Program (TOCRP).

A Lot of Victims

The State Department said more than 1,000 victims had been attacked by BlackCat – also known as ALPHV – since 2021, when it emerged from the high-profile ransomware groups DarkSide and later BlackMatter, both of which came under tight international law enforcement scrutiny and shut down.

According to a joint advisory released in December 2023 by the FBI and Cybersecurity and Infrastructure Security Agency (CISA), BlackCat over the past two years has demand more than $500 million and received about $300 million in ransom payments. Almost 75% of the more than 1,000 compromised entities were in the United States.

As an RaaS operation, BlackCat bad actors not only were able to launch their own ransomware attacks but would license their code to affiliates with the promise of getting a percentage of whatever those affiliates received in ransom payments.

Growing Threat of RaaS

The rise of the RaaS model has helped fuel the rapid rise in ransomware incidents in recent years, enabling more threat actors to launch sophisticated attacks. Chainalysis in a report this month said ransomware payments last year surpassed $1 billion for the first time, and Andrew Davis, general counsel at Kivu Consulting, said RaaS combined with initial access brokers are letting bad actors with fewer technical skills to carry out attacks.

“The increase in attack volume can be attributed to the affiliate model’s ease of access and the adoption of ransomware-as-a-service, a disturbingly effective business model for cybercriminals,” Davis told the blockchain analysis company. 

BlackCat, which runs double-extortion attacks – encrypted files while also stealing data and threatening to publicly release it if the ransom isn’t paid – was a significant player in the ransomware environment in 2023, according to Chainalysis. According to U.S. authorities, over the past 18 months or so, it had become the second-most prolific ransomware group in the world.

The FBI said in December that it developed a source who had answered an ad for BlackCat affiliates and interviewed with a member of the group, who subsequently gave them credentials for the panels. The source then gave FBI agents credentials to access the panels, giving them a deeper knowledge of the ransomware group’s operations and eventually take it offline.

BlackCat Continues the Fight

BlackCat was able to briefly regain control of its darknet server and essentially lifted restrictions it had put on affiliates to stay away from hospitals and nuclear power plants. The group also threatened more attacks and last month said it had 300 gigabytes of military documents stolen from Technica, a Defense Department IT contractor, and threatened to publish the data.

BlackCat is only the latest group that the federal government has put a bounty on. Along with Hive, other groups have included Cl0p – the group behind the spate of supply-chain attacks over the past year leveraging a zero-day vulnerability in Progressive Software’s MOVEit – and Conti.