Just two months following the FBI’s disruption of the BlackCat ransomware group, the hackers are already back in action. Their latest attack is causing significant disruptions at pharmacies across the US.
The US Department of Justice celebrated a victory just six days before Christmas in the fight against ransomware. An FBI-led international operation targeted the notorious BlackCat or AlphV hacking group. The operation released decryption keys to foil ransom attempts against hundreds of victims and seized the group’s dark web sites used for threats and extortion. Deputy Attorney General Lisa Monaco stated, “In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers.”
However, just over two months later, it appears that the hackers are far from disrupted. For the past week, BlackCat has been holding medical firm Change Healthcare hostage, affecting software in hospitals and pharmacies across the United States. This has led to delays in drug prescriptions for an unknown number of patients.
The ongoing attack on Change Healthcare, first reported as a BlackCat attack by Reuters, highlights a grim reality of the ransomware epidemic. It not only shows the severity and duration of attacks but also suggests that law enforcement’s victories against ransomware groups are short-lived. Hackers targeted in busts seem to quickly rebuild and resume their attacks.
Allan Liska, a ransomware researcher for cybersecurity firm Recorded Future, explains, “Because we can’t arrest the core operators that are in Russia or in areas that are uncooperative with law enforcement, we can’t stop them.” Law enforcement efforts often focus on infrastructure takedowns or aiding victims, without apprehending the attackers themselves. Liska adds, “The threat actors just need to regroup, get drunk for a weekend, and then start right back up.”
In a recent operation, the UK’s National Crime Agency led a takedown against the Lockbit ransomware group. Despite the effort, Lockbit has already launched a new dark web site to continue extorting victims, displaying countdown timers for each victim before dumping their stolen data online.
While these operations have had some impact, BlackCat listed fewer victims on its dark web site in February compared to December before the FBI’s takedown. Lockbit may be downplaying the effects of the recent bust to maintain trust among its affiliate partners.
Ransomware groups’ ability to recover quickly from law enforcement operations highlights the challenges in combating this threat. The increasing sophistication of the ransomware economy allows hackers to quickly purchase tools or buy access to breached organizations. However, law enforcement operations help to degrade this economy by creating distrust among hackers.
Emsisoft’s Brett Callow notes that disruption efforts alone are unlikely to solve the ransomware problem. A comprehensive strategy is needed, including improved security for potential victims, sanctions on ransomware actors, tighter regulations on cryptocurrency, and possibly laws banning ransomware payments. Callow emphasizes, “Disruption efforts need to be part of a multi-pronged strategy, tightening the screws on every single bit of the ransomware ecosystem.”
