US, Allies Seize Website of Prolific Russian-Speaking Ransomware Gang That Claimed Theft of Illinois Patient Data

(Mark Wilson / Getty Images)(Mark Wilson / Getty Images)

Washington (CNN) — U.S. and allied law enforcement agencies around the world have seized the main website that a prolific Russian-speaking cyber gang has used to pressure its victims to pay ransoms, according to a notice posted on the website on Tuesday.

Thanks to our sponsors:

View all sponsors

The FBI also developed a software key that allowed victims of the hackers to quietly unlock their computers, “saving multiple victims from ransom demands” worth about $68 million, the Justice Department said in a statement.

It’s a big blow to the well-oiled cybercriminal syndicate that, according to the Justice Department, has targeted over 1,000 victims around the world and extorted them for hundreds of millions of dollars.

Hackers using the ransomware, known as ALPHV or BlackCat, have claimed a slew of attacks on US universities, health care providers and hotels in the last 18 months. Hackers claimed to have used ALPHV ransomware in at least one of a pair of high-profile ransomware attacks on Las Vegas casinos in September. The following month, hackers using ALPHV claimed to steal reams of patient data from a community hospital in Illinois.

Authorities seized the ALPHV website “in coordination” with the US Attorney’s Office for the Southern District of Florida, said the notice, which bore the seals of the FBI, US Secret Service and a slew of other law enforcement agencies from Australia to Europe to the United Kingdom.

Ransomware gangs use dark-web sites to try to pressure their victims into paying ransoms sometimes worth millions of dollars. If the victim refuses to pay, the hackers often leak data stolen from their network. A law enforcement seizure of a group’s website sometimes signals that investigators have broader access to the hackers’ core computer infrastructure and the move is part of a broader crackdown.

A different website that the ransomware gang set up recently remained online Tuesday morning, but that site appears to carry little significance to the group’s operations.

The cybercriminals behind ALPHV will be very likely to regroup and conduct new hacks because they haven’t been arrested. But ALPHV will likely have difficulty retaining “affiliates,” or hackers who pay to use the ransomware because of the damage to their reputation, said Alexander Leslie, a Russian-speaking analyst with cybersecurity firm Recorded Future.

“ALPHV has had a tumultuous past and has garnered significant media attention over the last few months,” Leslie told CNN. “This is not an attractive model for ransomware affiliates seeking to maintain a low profile and earn a reliable source of income.”

It’s the latest step by US and allied law enforcement agencies to try to put a dent in the lucrative ransomware business. As the national security threat posed by ransomware became clear in the last two years, the FBI has gotten increasingly more proactive in trying to disrupt the operations of the hackers, even if it means foregoing arrests.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” Deputy Attorney General Lisa Monaco said in a statement on Tuesday.

Cybercriminals received at least $449 million in ransom payments in the first half of the year, according to Chainalysis, a firm that tracks cryptocurrency. In ALPHV’s case, as with many other groups, the ransomware is leased to host of criminal groups for a fee. While some people behind the ransomware appear to speak Russian, others hail from other countries, according to ransomware experts.

The-CNN-Wire™ & © 2023 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.

Thanks to our sponsors:

View all sponsors

Thanks to our sponsors:

View all sponsors