Office of Public Affairs Justice Department Disrupts Prolific ALPHVBlackcat Ransomware Variant United States Department of Justice
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
A locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppArchived NewsppPara Notícias en EspañolppThe Justice Department announced today a disruption campaign against the Blackcat ransomware group also known as ALPHV or Noberus that has targeted the computer networks of more than 1000 victims and caused harm around the world since its inception including networks that support US critical infrastructureppOver the past 18 months ALPHVBlackcat has emerged as the second most prolific ransomwareasaservice variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world Due to the global scale of these crimes multiple foreign law enforcement agencies are conducting parallel investigations ppThe FBI developed a decryption tool that allowed FBI field offices across the country and law enforcement partners around the world to offer over 500 affected victims the capability to restore their systems To date the FBI has worked with dozens of victims in the United States and internationally to implement this solution saving multiple victims from ransom demands totaling approximately 68 million As detailed in a search warrant unsealed today in the Southern District of Florida the FBI has also gained visibility into the Blackcat ransomware groups computer network as part of the investigation and has seized several websites that the group operatedppIn disrupting the BlackCat ransomware group the Justice Department has once again hacked the hackers said Deputy Attorney General Lisa O Monaco With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide businesses and schools were able to reopen and health care and emergency services were able to come back online We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrimeppThe FBI continues to be unrelenting in bringing cybercriminals to justice and determined in its efforts to defeat and disrupt ransomware campaigns targeting critical infrastructure the private sector and beyond said FBI Deputy Director Paul Abbate Helping victims of crime is the FBIs highest priority and is reflected here in the provision of tools to assist those victimized in decrypting compromised networks and systems The FBI will continue to aggressively pursue these criminal actors wherever they attempt to hide and ensure they are brought to justice and held accountable under the lawppAt the Justice Department we prioritize victim safety and security said Acting Assistant Attorney General Nicole M Argentieri of the Justice Departments Criminal Division In this case agents and prosecutors worked tirelessly to restore victim networks but these actions are not the culmination of our efforts they are just the beginning Criminal actors should be aware that the announcement today is just one part of this ongoing effort Going forward we will continue our investigation and pursue those behind Blackcat until they are brought to justiceppTodays announcement highlights the Justice Departments ability to take on even the most sophisticated and prolific cybercriminals said US Attorney Markenzy Lapointe for the Southern District of Florida As a result of our offices tireless efforts alongside FBI Miami US Secret Service and our foreign law enforcement partners we have provided Blackcats victims in the Southern District of Florida and around the world the opportunity to get back on their feet and to fortify their digital defenses We will continue to focus on holding the people behind the Blackcat ransomware group accountable for their crimesppAccording to the unsealed warrant Blackcat actors have compromised computer networks in the United States and worldwide The disruptions caused by the ransomware variant have affected US critical infrastructure including government facilities emergency services defense industrial base companies critical manufacturing and healthcare and public health facilities as well as other corporations government entities and schools The loss amount globally is in the hundreds of millions and includes ransom payments destruction and theft of proprietary data and costs associated with incident responseppBlackcat uses a ransomwareasaservice model in which developers are responsible for creating and updating ransomware and for maintaining the illicit internet infrastructure Affiliates are responsible for identifying and attacking highvalue victim institutions with the ransomware After a victim pays developers and affiliates share the ransomppBlackcat actors employ a multiple extortion model of attack Before encrypting the victim system the affiliate will exfiltrate or steal sensitive data The affiliate then seeks a ransom in exchange for decrypting the victims system and not publishing the stolen data Blackcat actors attempt to target the most sensitive data in a victims system to increase the pressure to pay Blackcat actors rely on a leak site available on the dark web to publicize their attacks When a victim refuses to pay a ransom these actors commonly retaliate by publishing stolen data to a leak website where it becomes publicly availableppThe FBI Miami Field Office is leading the investigationppTrial Attorneys Christen Gallagher and Jorge Gonzalez of the Criminal Divisions Computer Crime and Intellectual Property Section and Assistant US Attorneys Kiran Bhat and Brooke Watson for the Southern District of Florida are handling the caseppThe Justice Department also recognizes the critical cooperation of Germanys Bundeskriminalamt and Zentrale Kriminalinspektion Göttingen Denmarks Special Crime Unit and Europol Significant assistance was provided by the US Secret Service and the US Attorneys Office for the Eastern District of Virginia The Justice Departments Office of International Affairs and the Cyber Operations International Liaison also provided significant assistance Additionally the following foreign law enforcement authorities provided substantial assistance and support the Australian Federal Police the United Kingdoms National Crime Agency and Eastern Region Special Operations Unit Spains Policia Nacional Switzerlands Kantonspolizei Thurgau and Austrias Directorate State Protection and Intelligence ServiceppVictims of Blackcat ransomware are strongly encouraged to contact their local FBI field office at wwwfbigovcontactusfieldoffices for further information and to determine what assistance may be available ppBlackcat affiliates have gained initial access to victim networks through a number of methods including leveraging compromised user credentials to gain initial access to the victim system More information about the malware including technical information about indicators of compromise and recommendations to mitigate its effects is available from the FBI at wwwic3govMediaNews2022220420pdfppAdditional information regarding law enforcements ongoing investigation into Blackcat is available at wwwjusticegovmedia1329536dlinlineppIf you have information about Blackcat their affiliates or activities you may be eligible for a reward through the Department of States Rewards for Justice program Information can be submitted through the following Torbased tip line Tor browser required he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiadonion ppFor more information about rewards for information on foreign malicious cyber activity against US critical infrastructure visit httpsrfjtipsSDT55fppA sevencount indictment was unsealed yesterday in Los Angeles charging four individuals for their alleged roles in a scheme to launder the proceeds of cryptocurrency investment scams and other fraudulentppA superseding indictment was unsealed yesterday charging an Australian national and a California man with operating a cryptocurrency Ponzi scheme that defrauded victims of more than 25 millionppToday the Department of Justice published guidelines outlining the process that companies subject to the reporting requirements in Section 13 or 15d of the Securities Exchange Act of 1934 orppOffice of Public Affairs
US Department of Justice
950 Pennsylvania Avenue NW
Washington DC 20530ppOffice of Public Affairs Direct Line
2025142007ppDepartment of Justice Main Switchboard
2025142000ppSignup for Email Updates
Social MediappppHave a question about Government Servicesp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
A locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppArchived NewsppPara Notícias en EspañolppThe Justice Department announced today a disruption campaign against the Blackcat ransomware group also known as ALPHV or Noberus that has targeted the computer networks of more than 1000 victims and caused harm around the world since its inception including networks that support US critical infrastructureppOver the past 18 months ALPHVBlackcat has emerged as the second most prolific ransomwareasaservice variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world Due to the global scale of these crimes multiple foreign law enforcement agencies are conducting parallel investigations ppThe FBI developed a decryption tool that allowed FBI field offices across the country and law enforcement partners around the world to offer over 500 affected victims the capability to restore their systems To date the FBI has worked with dozens of victims in the United States and internationally to implement this solution saving multiple victims from ransom demands totaling approximately 68 million As detailed in a search warrant unsealed today in the Southern District of Florida the FBI has also gained visibility into the Blackcat ransomware groups computer network as part of the investigation and has seized several websites that the group operatedppIn disrupting the BlackCat ransomware group the Justice Department has once again hacked the hackers said Deputy Attorney General Lisa O Monaco With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide businesses and schools were able to reopen and health care and emergency services were able to come back online We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrimeppThe FBI continues to be unrelenting in bringing cybercriminals to justice and determined in its efforts to defeat and disrupt ransomware campaigns targeting critical infrastructure the private sector and beyond said FBI Deputy Director Paul Abbate Helping victims of crime is the FBIs highest priority and is reflected here in the provision of tools to assist those victimized in decrypting compromised networks and systems The FBI will continue to aggressively pursue these criminal actors wherever they attempt to hide and ensure they are brought to justice and held accountable under the lawppAt the Justice Department we prioritize victim safety and security said Acting Assistant Attorney General Nicole M Argentieri of the Justice Departments Criminal Division In this case agents and prosecutors worked tirelessly to restore victim networks but these actions are not the culmination of our efforts they are just the beginning Criminal actors should be aware that the announcement today is just one part of this ongoing effort Going forward we will continue our investigation and pursue those behind Blackcat until they are brought to justiceppTodays announcement highlights the Justice Departments ability to take on even the most sophisticated and prolific cybercriminals said US Attorney Markenzy Lapointe for the Southern District of Florida As a result of our offices tireless efforts alongside FBI Miami US Secret Service and our foreign law enforcement partners we have provided Blackcats victims in the Southern District of Florida and around the world the opportunity to get back on their feet and to fortify their digital defenses We will continue to focus on holding the people behind the Blackcat ransomware group accountable for their crimesppAccording to the unsealed warrant Blackcat actors have compromised computer networks in the United States and worldwide The disruptions caused by the ransomware variant have affected US critical infrastructure including government facilities emergency services defense industrial base companies critical manufacturing and healthcare and public health facilities as well as other corporations government entities and schools The loss amount globally is in the hundreds of millions and includes ransom payments destruction and theft of proprietary data and costs associated with incident responseppBlackcat uses a ransomwareasaservice model in which developers are responsible for creating and updating ransomware and for maintaining the illicit internet infrastructure Affiliates are responsible for identifying and attacking highvalue victim institutions with the ransomware After a victim pays developers and affiliates share the ransomppBlackcat actors employ a multiple extortion model of attack Before encrypting the victim system the affiliate will exfiltrate or steal sensitive data The affiliate then seeks a ransom in exchange for decrypting the victims system and not publishing the stolen data Blackcat actors attempt to target the most sensitive data in a victims system to increase the pressure to pay Blackcat actors rely on a leak site available on the dark web to publicize their attacks When a victim refuses to pay a ransom these actors commonly retaliate by publishing stolen data to a leak website where it becomes publicly availableppThe FBI Miami Field Office is leading the investigationppTrial Attorneys Christen Gallagher and Jorge Gonzalez of the Criminal Divisions Computer Crime and Intellectual Property Section and Assistant US Attorneys Kiran Bhat and Brooke Watson for the Southern District of Florida are handling the caseppThe Justice Department also recognizes the critical cooperation of Germanys Bundeskriminalamt and Zentrale Kriminalinspektion Göttingen Denmarks Special Crime Unit and Europol Significant assistance was provided by the US Secret Service and the US Attorneys Office for the Eastern District of Virginia The Justice Departments Office of International Affairs and the Cyber Operations International Liaison also provided significant assistance Additionally the following foreign law enforcement authorities provided substantial assistance and support the Australian Federal Police the United Kingdoms National Crime Agency and Eastern Region Special Operations Unit Spains Policia Nacional Switzerlands Kantonspolizei Thurgau and Austrias Directorate State Protection and Intelligence ServiceppVictims of Blackcat ransomware are strongly encouraged to contact their local FBI field office at wwwfbigovcontactusfieldoffices for further information and to determine what assistance may be available ppBlackcat affiliates have gained initial access to victim networks through a number of methods including leveraging compromised user credentials to gain initial access to the victim system More information about the malware including technical information about indicators of compromise and recommendations to mitigate its effects is available from the FBI at wwwic3govMediaNews2022220420pdfppAdditional information regarding law enforcements ongoing investigation into Blackcat is available at wwwjusticegovmedia1329536dlinlineppIf you have information about Blackcat their affiliates or activities you may be eligible for a reward through the Department of States Rewards for Justice program Information can be submitted through the following Torbased tip line Tor browser required he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiadonion ppFor more information about rewards for information on foreign malicious cyber activity against US critical infrastructure visit httpsrfjtipsSDT55fppA sevencount indictment was unsealed yesterday in Los Angeles charging four individuals for their alleged roles in a scheme to launder the proceeds of cryptocurrency investment scams and other fraudulentppA superseding indictment was unsealed yesterday charging an Australian national and a California man with operating a cryptocurrency Ponzi scheme that defrauded victims of more than 25 millionppToday the Department of Justice published guidelines outlining the process that companies subject to the reporting requirements in Section 13 or 15d of the Securities Exchange Act of 1934 orppOffice of Public Affairs
US Department of Justice
950 Pennsylvania Avenue NW
Washington DC 20530ppOffice of Public Affairs Direct Line
2025142007ppDepartment of Justice Main Switchboard
2025142000ppSignup for Email Updates
Social MediappppHave a question about Government Servicesp