Over 500 companies such as MGM Resorts and Caesars Entertainment that have been victimized in an ongoing wave of extortion-based cyberattacks have been offered a new decryption tool developed by the FBI. The new software tool can unlock computer networks that have been hijacked by certain, widespread ramsonware variants.
The software tool is an element of a disruption campaign aimed at the hacking groups behind the attacks, which are described as loosely connected, English-speaking individuals working in concert with Russia-based software teams that have specialized in cybercrime. MGM and Caesars were victimized by a virus known as ALPHV, a variant in a ransomware family also known as Blackcat (its original name) or Noberus.
The FBI's announcement claims that it has already saved several dozen companies from paying about $68 million to extortionists. The dozens of corporate victims already assisted by the decryption tool likely represent only a few percent of affected companies. The FBI believes more than 1,000 companies have alreadybeen targeted.
MGM Resorts, which lost roughly $100 million in revenue to downtime caused by the September cyberattack, is among the victims who have suffered the largest financial hit. MGM did not pay off the extortionists, though Caesars did, ultimately sending about half of what was a $30 million ransom demand to the hackers.
Aggressive pursuit of cybercriminals
“The FBI continues to be unrelenting in bringing cybercriminals to justice and determined in its efforts to defeat and disrupt ransomware campaigns targeting critical infrastructure, the private sector, and beyond,” said FBI Deputy Director Paul Abbate. “Helping victims of crime is the FBI’s highest priority and is reflected here in the provision of tools to assist those victimized in decrypting compromised networks and systems. The FBI will continue to aggressively pursue these criminal actors wherever they attempt to hide and ensure they are brought to justice and held accountable under the law.”
“At the Justice Department, we prioritize victim safety and security,” said Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department’s Criminal Division. “In this case, agents and prosecutors worked tirelessly to restore victim networks, but these actions are not the culmination of our efforts, they are just the beginning. Criminal actors should be aware that the announcement today is just one part of this ongoing effort. Going forward, we will continue our investigation and pursue those behind Blackcat until they are brought to justice.”
Neither the FBI nor other law enforcement agencies within the US or abroad have arrested or publicly identified any of the hackers involved with the cyberattack wave, which has gone on for more than 18 months. The FBI has identified nearly 1,000 Tor network public/private key pairs associated with what it describes as the "Blackcat Ransomware Group," and recently executed a search warrant on a flash drive seized during a Miami-area investigation into the group's activities and possible members.