A number of Australian businesses that fell victim to Russian-led ransomware criminals will receive a decryption tool to restore their systems.
The AFP provided substantial assistance to an international operation to disrupt the BlackCat ransomware group, which is estimated to have cost victims around the world hundreds of millions of dollars.
Several websites operated by the cyber actors have been taken down after a global operation led by the FBI and involving the AFP and agencies in Europe and North America.
AFP Cyber Command Assistant Commissioner Scott Lee said at least 56 businesses and government agencies in Australia had been targeted by BlackCat – also known as ALPHV or Noberus – over the past year.
Assistant Commissioner Lee said the AFP had provided significant intelligence and data to the international investigation to disrupt BlackCat’s operations.
“This ransomware group first came to law enforcement attention in 2021 and has had a significant impact on the Australian community and on entities around the world,” Assistant Commissioner Lee said.
“We have so far identified 56 Australian-based victims across both corporate and government sectors and we are engaging with victims to provide decryption keys to restore their systems where we can. Those decryption keys are similar to a password.”
Assistant Commissioner Lee said the AFP would continue to work with international partners, plus state and territory law enforcement agencies in Australia, to assist in their investigations, and provide crucial information to affected businesses.
He said BlackCat unlawfully infiltrated the systems of a number of Australian businesses, stealing sensitive data and encrypting the networks, before demanding a ransom to enable the victims to access them.
“The unlawful activity by BlackCat had a severe impact on Australian businesses, many of which remain without access to some key systems.
“The AFP has worked closely with our Five Eyes Law Enforcement Group (FELEG) partner, the FBI, to ensure action was taken on behalf of Australian businesses,” Assistant Commissioner Lee said.
“The FBI developed a decryption tool that allowed law enforcement partners around the world to offer more than 400 affected victims the capability to restore their systems.”
The FBI also gained visibility into the BlackCat ransomware group’s computer network as part of the investigation and seized several websites that the group operated.
BlackCat uses a ransomware-as-a-service model, in which developers create and update ransomware and maintain illicit internet infrastructure.
The group’s affiliates identify high-value businesses and institutions to attack with the ransomware, stealing sensitive data and encrypting files so the victims cannot access them. The criminals then demand a ransom to decrypt the victim’s system and to not publish the stolen data.
BlackCat targeted the computer networks of victims around the world, including networks that supported critical infrastructure, universities, court systems, and major companies.
The global financial loss is estimated to be in the hundreds of millions of dollars, and includes ransom payments, destruction and theft of proprietary data, and costs associated with incident response.
The disruptive action against BlackCat is an example of the global outcomes the AFP is supporting with the Australian Signals Directorate (ASD) as part of the Joint Standing Operation, Operation Aquila.
Assistant Commissioner Lee said in the past 18 months, millions of Australians had been affected by devastating cyber incidents and ransomware attacks were becoming more prevalent.
“On average, one cybercrime is reported every six minutes, with ransomware alone causing up to $3 billion in damages to the Australian economy every year,” he said.
“The Australian Government advises against paying ransoms.
“We urge anyone who has been the target of a BlackCat ransomware attack or any other ransomware breach and has not yet reported it, to report to police.
“If we are alerted to an incident in its earliest moments, we have our best shot at gathering the evidence we need to identify those responsible for the attack, disrupt their activities and bring them to justice.
“Outcomes like this would not be possible without the ability of the AFP to engage with law enforcement around the world and coordinate responses.
“Anyone in Australia who believes they are the victim of a cybercrime should immediately contact ReportCyber at report.cyber.gov.au. If there is an imminent threat to your safety, call Triple Zero.”
The Australian cyber Security Centre also has a range of practical guides to help organisations protect themselves against ransomware attacks.
