Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

BlackCat Strikes Back: Ransomware Gang “Unseizes” Website, Vows No Limits on Targets

BlackCat’s Comeback Following Recent Disruption

Executive Summary

The BlackCat ransomware group, also known as ALPHV or Noberus, has recently faced disruption due to a law enforcement operation targeting their activities. The operation resulted in the seizure of several websites used by BlackCat and the release of a decryption tool.

However, BlackCat has responded by regaining control of its website and establishing a new leak website. They have also announced new threats, expanding their targets to all types of organisations, including nuclear power plants and hospitals.

Organisations must remain vigilant and prepared at all times to effectively combat cyberattacks, as the battle between cyber criminals and law enforcement authorities persists.

Disruption of BlackCat

BlackCat’s Tor-based leak website became inaccessible, leading to speculation that law enforcement had targeted the group.

The US government confirmed that a law enforcement operation, supported by allies, was responsible for the seizure of BlackCat’s websites. The operation included a decryption tool that helped over 500 victims restore their systems without paying a ransom. For more information about the operation, please refer to our recent news article.

BlackCat Strikes Back

After the disruption efforts, BlackCat regained control of their website, announcing that it had been “unseized.” They set up a new leak website and announced that only CIS (former constituent republics of the Soviet Union) countries were off-limits, allowing affiliates to target any type of organisation in other countries. The group had previously promised not to target hospitals and emergency services.

BlackCat downplayed the impact of the law enforcement operation, stating that only decryption keys for the past month and a half were obtained. They also mentioned that more than 3,000 victims would not be able to recover their files, and they would stop offering victims any discounts on the ransom amount.

To prevent an exodus, BlackCat offered incentives to its affiliates. These incentives included the opportunity to retain 90% of ransom payments and access to a private program for ‘VIP’ affiliates. However, there is a prediction that affiliates may switch to other ransomware-as-a-service operations, such as LockBit.

Meanwhile, the US government is offering rewards of up to $10 million for information on BlackCat operators or their affiliates. Also, please refer to the CISA advisory for comprehensive details on the tactics, techniques, and procedures (TTPs), along with the indicators of compromise (IOCs) identified during the investigations of known BlackCat affiliates.

Closing Comments

The recent events surrounding the BlackCat ransomware group highlight the ongoing battle between cyber criminals and law enforcement authorities.

As cyber criminals continue to adapt and find ways to regain control, it is crucial for organisations to remain vigilant against cyberattacks and be prepared at all times. Holiday periods, in particular, can present opportunities for attackers. During these times, individuals may be more relaxed and susceptible to phishing attempts and other malicious activities. It is essential for organisations to prioritise cybersecurity and implement strong measures to continuously protect their systems and data.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.