Six days before Christmas, the U.S. Department of Justice loudly declared victory in the ongoing fight against the scourge of ransomware: An international FBI-led operation targeted the notorious hacker group BlackCat, or AlphV, releasing decryption keys to thwart Its ransomware attempts targeted hundreds of victims and seized the dark websites it used to threaten and extort them. “In the process of disrupting the BlackCat ransomware organization, the Department of Justice once again targeted hackers,” Deputy Attorney General Lisa Monaco declared in a statement.
Two months and a week later, however, the hackers don’t appear to be particularly “disorganized.” Over the past seven days, BlackCat hijacked healthcare company Change Healthcare, paralyzing its software at hospitals and pharmacies across the United States, causing delays in drug prescriptions for countless patients.
Change Healthcare’s ongoing outage, first reported by Reuters as a BlackCat attack, represents a particularly serious episode in the ransomware epidemic, not least because of its severity, duration, and potential damage to victims’ health. It also illustrates how law enforcement’s victories against ransomware groups appear to be increasingly fleeting, as hackers targeted by law enforcement in carefully coordinated crackdowns simply rebuild and restart their attacks, ransomware tracking analysts said. impunity.
“Because we can’t arrest core operators in Russia or regions that aren’t cooperating with law enforcement, we can’t stop them,” said Allan Liska, a ransomware researcher at cybersecurity firm Recorded Future. Liska said law enforcement often has to spend months or years arranging strikes against infrastructure or aiding victims without being able to catch the perpetrators of the attacks. “Threat actors just need to regroup, get drunk for a weekend, and start over,” Liska said.
In another recent crackdown, the UK’s National Crime Agency last week led a wide-ranging crackdown on the notorious Lockbit ransomware group, hijacking its infrastructure, seizing many of its cryptocurrency wallets and shutting down its dark website , and even obtained information about it. Operators and Partners. Less than a week later, however, Lockbit has launched a new dark website that continues to extort victims, displaying a countdown timer for each victim indicating the number of days or hours remaining before the stolen data will be dumped online.
That doesn’t mean law enforcement’s BlackCat or Lockbit operations haven’t had some effect. So far, BlackCat lists 28 victims on its darknet site in February, which is a significant drop from the future number (more than 60 victims) recorded on its site in December before the FBI took it down. (Change Healthcare is not currently listed on BlackCat’s current list of victims, but the hackers were blamed for the attack, according to ransomware tracking site Breaches.net. Neither is Change Healthcare In response to WIRED’s request for comment. Cyber attack.)
Brett Callow, a ransomware analyst at security firm Emsisoft, believes Lockbit may be hiding the extent of its damage behind the hoopla surrounding its new leak site. He said the group may downplay last week’s bust in part to avoid losing the trust of its affiliated partners, hackers who infiltrated victim networks on behalf of Lockbit, and also because of the possibility that Lockbit has been breached by law enforcement. And feel panic.