Six days before Christmas, the US Department of Justice loudly announced a win in the ongoing fight against the scourge of ransomware: An FBI-led, international operation had targeted the notorious hacking group known as BlackCat or AlphV, releasing decryption keys to foil its ransom attempts against hundreds of victims and seizing the dark web sites it had used to threaten and extort them. “In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” deputy attorney general Lisa Monaco declared in a statement.
Two months and one week later, however, those hackers don’t appear particularly “disrupted.” For the last seven days and counting, BlackCat has held hostage the medical firm Change Healthcare, crippling its software in hospitals and pharmacies across the United States, leading to delays in drug prescriptions for an untold number of patients.
The ongoing outage at Change Healthcare, first reported to be a BlackCat attack by Reuters, represents a particularly grim incident in the ransomware epidemic not just due to its severity, its length, and the potential toll on victims’ health. Ransomware-tracking analysts say it also illustrates how even law enforcement’s wins against ransomware groups appear to be increasingly short-lived, as the hackers that law enforcement target in carefully coordinated busts simply rebuild and restart their attacks with impunity.
“Because we can’t arrest the core operators that are in Russia or in areas that are uncooperative with law enforcement, we can’t stop them,” says Allan Liska, a ransomware-focused researcher for cybersecurity firm Recorded Future. Instead, Liska says, law enforcement often has had to settle for spending months or years arranging takedowns that target infrastructure or aid victims, but without laying hands on the attacks’ perpetrators. “The threat actors just need to regroup, get drunk for a weekend, and then start right back up,” Liska says.
In another, more recent bust, the UK’s National Crime Agency last week led a broad takedown effort against the notorious Lockbit ransomware group, hijacking its infrastructure, seizing many of its cryptocurrency wallets, taking down its dark web sites, and even obtaining information about its operators and partners. Yet less than a week later, Lockbit has already launched a fresh dark web site where it continues to extort its victims, showing countdown timers for each one that indicate the remaining days or hours before it dumps their stolen data online.
None of that means law enforcement’s BlackCat or Lockbit operations haven’t had some effect. BlackCat listed 28 victims on its dark web site for February so far, a significant drop from the 60-plus Recorded Future counted on its site in December prior to the FBI’s takedown. (Change Healthcare isn’t currently listed among BlackCat’s current victims on its site, though the hackers reportedly took credit for the attack, according to ransomware-tracking site Breaches.net. Change Healthcare also didn’t respond to WIRED’s request for comment on the cyberattack.)
Lockbit, for its part, may be hiding the extent of its disruption behind the bluster of its new leak site, argues Brett Callow, a ransomware analyst at security firm Emsisoft. He says that the group is likely downplaying last week’s bust in part to avoid losing the trust of its affiliate partners, the hackers who penetrate victim networks on Lockbit’s behalf and might be spooked by the possibility that Lockbit has been compromised by law enforcement.