The US Department of Justice has announced that the FBI has developed a “decryption tool” designed to help companies victimized by the BlackCat ransomware group regain control of their computer systems. The “disruption campaign” against BlackCat, also known as ALPHV or Norberus, comes months after both MGM Resorts International and Caesars Entertainment were hit by cyberattacks.
“By dismantling the BlackCat ransomware group, the Department of Justice has hacked the hackers again,” Assistant Attorney General Lisa O. Monaco said Tuesday Press release. “With a decryption tool that the FBI made available to hundreds of ransomware victims worldwide, businesses and schools were able to reopen and health and emergency services were able to come back online. We will continue to prioritize disruption and put victims at the heart of our strategy to disrupt the ecosystem that fuels cybercrime.”
The Justice Department said the FBI has so far helped dozens of victims of BlackCat cyberattacks restore their systems and protect them from ransom demands totaling about $68 million.
The FBI also seized several websites operated by BlackCat.
Blackcat hit MGM in September, destroying the company and its many properties across the United States. Although the properties remained open, the company's computer systems were hijacked. Hotel reservation systems went down, slot machines were disabled, restaurant ordering systems stopped working, and much more.
At banks with working slot machines, the payout systems didn't work – casino employees, many of whom didn't even normally work in the arcade, had to run back and forth to guests to pay them out by hand.
It turned out that it didn't take much effort for ALPHV/BlackCat to break into MGM's systems. According to vx-underground, a group that curates the “largest collection of malware source code, samples and articles on the Internet,” the hackers used social engineering to achieve their goal.
In a Twitter post, vx-underground said: “All the ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee and then call the help desk.”
Essentially, someone in the group researched MGM employee information, posed as said employee to gain the trust of someone at the internal help desk, and obtained the information they needed to get into the company's systems. Once there, they used their software to hijack the company.
MGM is back to normal, but it is estimated that the hack cost the company around $100 million. However, some of this financial loss was not ransom money. MGM CEO Bill Hornbuckle said at the Global Gaming Expo in October that his company did not pay a ransom to the hackers.
Hornbuckle explained that it took about three days to figure out how to regain access to their systems, although the process of actually doing so would take a while. His team estimated that it would take the same amount of time to escape from the hackers after paying the ransom, making it not worth paying.