The US Department of Justice has announced that the FBI has developed a “decryption tool” that will help companies victimized by the BlackCat ransomware group regain control of their computer systems. The “disruption campaign” against BlackCat, which is also known as ALPHV or Norberus, comes months after both MGM Resorts International and Caesars Entertainment were hit by cyberattacks.
“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” said Deputy Attorney General Lisa O. Monaco in Tuesday’s press release. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”
The Justice Department said that so far, the FBI has helped dozens of victims of BlackCat cyberattacks restore their systems and save them from a total of about $68 million in ransom demands.
The FBI has also seized multiple websites operated by BlackCat.
Blackcat hit MGM in September, devastating the company and its many properties in the United States. Though properties stayed open, the company’s computer systems were hijacked. Hotel reservation systems went down, gaming machines were disabled, restaurant ordering systems stopped working, and more.
For banks of slot machines that did work, cash out systems were out of order – casino staff, many of whom did not even normally work on the gaming floor, had to run back and forth to patrons to cash them out by hand.
It turned out that it didn’t take much effort for ALPHV/BlackCat to get into MGM’s systems. According to vx-underground, a group that curates the “largest collection of malware source code, samples, and papers on the internet,” the hackers used social engineering to accomplish their goal.
In a Twitter post, vx-underground said, “All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk.”
Basically, someone in the group researched MGM employee information, posed as said employee to gain the trust of someone at the internal help desk, and acquired the information they needed to get into the company’s systems. Once in, they deployed their software to hijack the company.
MGM is back to normal, but it is estimated that the hack cost it around $100 million. Part of that monetary loss, however, was not a ransom. Speaking at the Global Gaming Expo in October, MGM CEO Bill Hornbuckle said that his company did not pay a ransom to the hackers.
Hornbuckle explained that it took about three days to figure out how to regain access of their systems, though the process of actually doing so was going to take a while. His team estimated that it would take just as long to jump through the hackers’ hoops after paying the ransom, so it wasn’t worth it to pay up.