View All R&D Articles

Justice Department Announces Decryption Tools for ALPHV/Blackcat Ransomware

December 22, 2023

The Department of Justice (DOJ) has announced a disruption campaign against ALPHV, a ransomware group responsible for hundreds of attacks on businesses and critical U.S. infrastructure.

ALPHV, also known as Blackcat or Noberus, is a ransomware-as-a-service (RaaS) gang. RaaS groups “rent” malicious software to other bad actors, often receiving stolen data or a portion of ransoms as payment. The ALPHV group is believed to be the second-most prolific group of its type. 

But the DOJ has certainly paid attention to ALPHV’s success. This month, the Justice Department revealed a new decryption tool that has reportedly recovered data for more than 500 victims.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” said Deputy Attorney General Lisa O. Monaco in a press release

“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”

Ransomware decryption isn’t straightforward, and in some cases, it’s impossible.

The DOJ does not go into detail about the development of the new recovery tool. However, it’s likely that the Department was able to infiltrate the gang and/or seize key systems with encryption keys. 

Generally, ALPHV attacks follow this pattern:

  • Bad actors use social engineering and other tactics to gain access to crucial systems.
  • The actor also steals sensitive data, which can be resold or used for additional ransoms if the encryption ransom is paid. 
  • The ALPHV affiliate extorts the victim to pay via Bitcoin or another cryptocurrency, then shares any ransoms with the core ALPHV group. An important note: Paying ransoms for malware may be illegal for U.S. firms.
  • If the victim doesn’t pay, the stolen data is leaked or sold on the dark web.

The DOJ was able to successfully disrupt ALPHV with help from various international organizations including Germany’s Bundeskriminalamt and Zentrale Kriminalinspektion Göttingen, Denmark’s Special Crime Unit, and Europol.

Victims of Blackcat ransomware should contact their local FBI field office to determine what assistance may be available. 

While ALPHV has been disrupted, the gang is still active.

Unfortunately, defeating a ransomware gang isn’t easy — and ALPHV/Blackcat has quickly bounced back. The group immediately “reseized” its websites controlled by the FBI, and has retaliated against the DOJ by stating that it no longer restricts its malware from being used in attacks on hospitals, power plants, and other critical infrastructure.

According to the DOJ, ALPHV was already impacting those targets. Nevertheless, ALPHV/Blackcat attacks are expected to continue over 2024 unless the gang is brought to justice.

Some of ALPHV/Blackcat’s most significant attacks have allegedly included: provides an array of ransomware services to help businesses fight back.

From ransomware recovery to penetration (PEN) testing, disaster recovery deployment, and ransomware investigation, we’re dedicated to providing solutions supported by decades of experience. 

To learn more, submit a case online or call 1-800-237-4200 to speak with an expert.