Following actions taken against the infamous BlackCat ransomware group in December by the US Federal Bureau of Investigation (FBI), the cybercriminal gang has warned it is taking off the gloves in its fight with law enforcement. BlackCat previously took pride in regularly announcing that it does not encourage or support affiliates who target crucial sectors such as healthcare. But this approach has changed radically since the end of 2023.
“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized. This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023,” said the FBI.
The attacks on healthcare mark a sea change in ransomware gangs’ approach to their victims. Just as traditional gangsters claimed that demanding ‘protection’ money on a regular basis was to pay to be safeguarded against other gangsters, so BlackCat employed the fiction that it was, in fact, working for the benefit of its victims by highlighting its security weaknesses.
According to the FBI: “ALPHV Blackcat affiliates offer to provide unsolicited cyber remediation advice as an incentive for payment, offering to provide victims with ‘vulnerability reports’ and ‘security recommendations’ detailing how they penetrated the system and how to prevent future re-victimization upon receipt of ransom payment.”
BlackCat’s mask is gradually slipping
But BlackCat’s ‘virtue-signalling’ mask is gradually slipping to reveal the ruthless ransomware group and its affiliates in their true light. BlackCat has now effectively given its affiliates the go-ahead to attack any organization they choose, regardless of the potentially life-threatening consequences of attacking healthcare facilities such as hospitals and encrypting and blocking potentially life-saving data.
Blackcat affiliates are well-practiced in using advanced social engineering techniques and open-source research on the target organization in order to gain initial access. According to the FBI, cybercriminals typically pose as company IT or helpdesk staff and use phone calls or SMS messages to obtain credentials from employees to access the target network.
The FBI urges companies who have been victimized or who have become targets of spoof messaging and phishing attacks to contact their local FBI field office.
