Aussie businesses hacked by BlackCat receive help

The Australian Federal Police (AFP) is providing decryption tools to many Australian businesses that have fallen victim to Russian-led ransomware criminals, who unlawfully infiltrated systems to steal sensitive data and encrypt networks before demanding ransoms in return for granting access.

The AFP provided substantial assistance to an international operation to disrupt the BlackCat ransomware group, which is estimated to have cost victims around the world hundreds of millions of dollars.

Several websites operated by the cyber actors have been taken down after a global operation led by the US Federal Bureau of Investigation (FBI) and involving the AFP and agencies in Europe and North America.

AFP Cyber Command Assistant Commissioner Scott Lee said at least 56 businesses and government agencies in Australia had been targeted by BlackCat - also known as ALPHV or Noberus - over the past year.

Assistant Commissioner Lee said the AFP had provided significant intelligence and data to the international investigation to disrupt BlackCat’s operations.

This ransomware group first came to law enforcement attention in 2021 and has had a significant impact on the Australian community and on entities around the world,” Assistant Commissioner Lee said.

“We have so far identified 56 Australian-based victims across both corporate and government sectors and we are engaging with victims to provide decryption keys to restore their systems where we can. Those decryption keys are similar to a password.”

Assistant Commissioner Lee said the AFP would continue to work with international partners, plus state and territory law enforcement agencies in Australia, to assist in their investigations, and provide crucial information to affected businesses.

“The unlawful activity by BlackCat had a severe impact on Australian businesses, many of which remain without access to some key systems," he said.

“The AFP has worked closely with our Five Eyes Law Enforcement Group (FELEG) partner, the FBI, to ensure action was taken on behalf of Australian businesses.

“The FBI developed a decryption tool that allowed law enforcement partners around the world to offer more than 400 affected victims the capability to restore their systems.”

The FBI also gained visibility into the BlackCat ransomware group’s computer network as part of the investigation and seized several websites that the group operated.

BlackCat uses a ransomware-as-a-service model, in which developers create and update ransomware and maintain illicit internet infrastructure.

The group’s affiliates identify high-value businesses and institutions to attack with the ransomware, stealing sensitive data and encrypting files so the victims cannot access them. The criminals then demand a ransom to decrypt the victim’s system and to not publish the stolen data.

If a victim pays a ransom, the BlackCat developers and affiliates share the funds. If victims refuse the extortion attempts, the criminals commonly retaliate by publishing stolen data to a leak website where anyone can download it and use it for further crimes.

BlackCat targeted the computer networks of victims around the world, including networks that supported critical infrastructure, universities, court systems, and major companies.

The global financial loss is estimated to be in the hundreds of millions of dollars, and includes ransom payments, destruction and theft of proprietary data, and costs associated with incident response.

The disruptive action against BlackCat is an example of the global outcomes the AFP is supporting with the Australian Signals Directorate (ASD) as part of the Joint Standing Operation, Operation Aquila.

Assistant Commissioner Lee said in the past 18 months, millions of Australians had been affected by devastating cyber incidents and ransomware attacks were becoming more prevalent.

“On average, one cybercrime is reported every six minutes, with ransomware alone causing up to $3 billion in damages to the Australian economy every year,” he said.

“The Australian Government advises against paying ransoms."

He said anyone who has been the target of a BlackCat ransomware attack or any other ransomware breach should report it to police.

“If we are alerted to an incident in its earliest moments, we have our best shot at gathering the evidence we need to identify those responsible for the attack, disrupt their activities and bring them to justice.

"Anyone in Australia who believes they are the victim of a cybercrime should immediately contact ReportCyber at report.cyber.gov.au. If there is an imminent threat to your safety, call Triple Zero.

"Outcomes like this would not be possible without the ability of the AFP to engage with law enforcement around the world and coordinate responses."