{
	"id": "42387c27-de91-46ad-a171-c424cb8d6003",
	"created_at": "2026-04-06T15:52:12.052882Z",
	"updated_at": "2026-04-10T03:29:39.732156Z",
	"deleted_at": null,
	"sha1_hash": "b6e202c30219866cbf7e8d5dbf937f7dc7435476",
	"title": "Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42620,
	"plain_text": "Justice Department Disrupts Prolific ALPHV/Blackcat\r\nRansomware Variant\r\nPublished: 2023-12-18 · Archived: 2026-04-06 15:33:27 UTC\r\nThe Justice Department announced today a disruption campaign against the Blackcat ransomware group — also\r\nknown as ALPHV or Noberus — that has targeted the computer networks of more than 1,000 victims and caused\r\nharm around the world since its inception, including networks that support U.S. critical infrastructure.\r\nOver the past 18 months, ALPHV/Blackcat has emerged as the second most prolific ransomware-as-a-service\r\nvariant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world.\r\n Due to the global scale of these crimes, multiple foreign law enforcement agencies are conducting parallel\r\ninvestigations. \r\nThe FBI developed a decryption tool that allowed FBI field offices across the country and law enforcement\r\npartners around the world to offer over 500 affected victims the capability to restore their systems. To date, the\r\nFBI has worked with dozens of victims in the United States and internationally to implement this solution, saving\r\nmultiple victims from ransom demands totaling approximately $68 million.  As detailed in a search warrant\r\nunsealed today in the Southern District of Florida, the FBI has also gained visibility into the Blackcat ransomware\r\ngroup’s computer network as part of the investigation and has seized several websites that the group operated.\r\n“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” said\r\nDeputy Attorney General Lisa O. Monaco. “With a decryption tool provided by the FBI to hundreds of\r\nransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency\r\nservices were able to come back online. We will continue to prioritize disruptions and place victims at the center\r\nof our strategy to dismantle the ecosystem fueling cybercrime.”\r\n“The FBI continues to be unrelenting in bringing cybercriminals to justice and determined in its efforts to defeat\r\nand disrupt ransomware campaigns targeting critical infrastructure, the private sector, and beyond,” said FBI\r\nDeputy Director Paul Abbate. “Helping victims of crime is the FBI’s highest priority and is reflected here in the\r\nprovision of tools to assist those victimized in decrypting compromised networks and systems. The FBI will\r\ncontinue to aggressively pursue these criminal actors wherever they attempt to hide and ensure they are brought to\r\njustice and held accountable under the law.”\r\n“At the Justice Department, we prioritize victim safety and security,” said Acting Assistant Attorney General\r\nNicole M. Argentieri of the Justice Department’s Criminal Division. “In this case, agents and prosecutors worked\r\ntirelessly to restore victim networks, but these actions are not the culmination of our efforts, they are just the\r\nbeginning. Criminal actors should be aware that the announcement today is just one part of this ongoing effort.\r\nGoing forward, we will continue our investigation and pursue those behind Blackcat until they are brought to\r\njustice.”\r\nhttps://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant\r\nPage 1 of 3\n\n“Today’s announcement highlights the Justice Department’s ability to take on even the most sophisticated and\r\nprolific cybercriminals,” said U.S. Attorney Markenzy Lapointe for the Southern District of Florida. “As a result\r\nof our office’s tireless efforts, alongside FBI Miami, U.S. Secret Service, and our foreign law enforcement\r\npartners, we have provided Blackcat’s victims, in the Southern District of Florida and around the world, the\r\nopportunity to get back on their feet and to fortify their digital defenses. We will continue to focus on holding the\r\npeople behind the Blackcat ransomware group accountable for their crimes.”\r\nAccording to the unsealed warrant, Blackcat actors have compromised computer networks in the United States\r\nand worldwide. The disruptions caused by the ransomware variant have affected U.S. critical infrastructure –\r\nincluding government facilities, emergency services, defense industrial base companies, critical manufacturing,\r\nand healthcare and public health facilities – as well as other corporations, government entities, and schools. The\r\nloss amount globally is in the hundreds of millions and includes ransom payments, destruction and theft of\r\nproprietary data, and costs associated with incident response.\r\nBlackcat uses a ransomware-as-a-service model in which developers are responsible for creating and updating\r\nransomware and for maintaining the illicit internet infrastructure. Affiliates are responsible for identifying and\r\nattacking high-value victim institutions with the ransomware. After a victim pays, developers and affiliates share\r\nthe ransom.\r\nBlackcat actors employ a multiple extortion model of attack. Before encrypting the victim system, the affiliate will\r\nexfiltrate or steal sensitive data. The affiliate then seeks a ransom in exchange for decrypting the victim’s system\r\nand not publishing the stolen data. Blackcat actors attempt to target the most sensitive data in a victim’s system to\r\nincrease the pressure to pay. Blackcat actors rely on a leak site available on the dark web to publicize their attacks.\r\nWhen a victim refuses to pay a ransom, these actors commonly retaliate by publishing stolen data to a leak\r\nwebsite where it becomes publicly available.\r\nThe FBI Miami Field Office is leading the investigation.\r\nTrial Attorneys Christen Gallagher and Jorge Gonzalez of the Criminal Division’s Computer Crime and\r\nIntellectual Property Section and Assistant U.S. Attorneys Kiran Bhat and Brooke Watson for the Southern District\r\nof Florida are handling the case.\r\nThe Justice Department also recognizes the critical cooperation of Germany’s Bundeskriminalamt and Zentrale\r\nKriminalinspektion Göttingen, Denmark’s Special Crime Unit, and Europol. Significant assistance was provided\r\nby the U.S. Secret Service and the U.S. Attorney’s Office for the Eastern District of Virginia. The Justice\r\nDepartment’s Office of International Affairs and the Cyber Operations International Liaison also provided\r\nsignificant assistance. Additionally, the following foreign law enforcement authorities provided substantial\r\nassistance and support: the Australian Federal Police, the United Kingdom’s National Crime Agency and Eastern\r\nRegion Special Operations Unit, Spain’s Policia Nacional, Switzerland’s Kantonspolizei Thurgau, and Austria’s\r\nDirectorate State Protection and Intelligence Service.\r\nVictims of Blackcat ransomware are strongly encouraged to contact their local FBI field office at\r\nwww.fbi.gov/contact-us/field-offices for further information and to determine what assistance may be available. \r\nhttps://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant\r\nPage 2 of 3\n\nBlackcat affiliates have gained initial access to victim networks through a number of methods, including\r\nleveraging compromised user credentials to gain initial access to the victim system. More information about the\r\nmalware, including technical information about indicators of compromise and recommendations to mitigate its\r\neffects, is available from the FBI at www.ic3.gov/Media/News/2022/220420.pdf.\r\nAdditional information regarding law enforcement’s ongoing investigation into Blackcat is available\r\nat www.justice.gov/media/1329536/dl?inline.\r\nIf you have information about Blackcat, their affiliates, or activities, you may be eligible for a reward through the\r\nDepartment of State’s Rewards for Justice program. Information can be submitted through the following Tor-based tip line (Tor browser required): he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion. \r\nFor more information about rewards for information on foreign malicious cyber activity against U.S. critical\r\ninfrastructure, visit https://rfj.tips/SDT55f\r\n.\r\nSource: https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant\r\nhttps://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant"
	],
	"report_names": [
		"justice-department-disrupts-prolific-alphvblackcat-ransomware-variant"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775490732,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b6e202c30219866cbf7e8d5dbf937f7dc7435476.pdf",
		"text": "https://archive.orkl.eu/b6e202c30219866cbf7e8d5dbf937f7dc7435476.txt",
		"img": "https://archive.orkl.eu/b6e202c30219866cbf7e8d5dbf937f7dc7435476.jpg"
	}
}