The US Department of Justice announced on the 19th of December a operation against the BlackCat Ransomware group with a seizure message appearing on their leak website. However, on the 20th this seizure message was removed and replaced with a message from BlackCat announcing that the site was no longer under seizure and they were continuing their operation.
Seizing of dark web websites isn’t like the seizure of a surface web website, if both Law enforcement and cybercriminals both have the private key for the website, they could both make edits to the blog and engage in a back and forth for control.
Along with the announcement that the blog was back, the post also linked to a new Russian language blog which introduced new rules for the group which included a change in policy, allowing for their ransomware strains to be used against critical national infrastructure. Industry experts however weigh this up as an empty threat as the attention that attacking CNI brings is not worth the gains that may follow it and that cybercriminals are more likely to aim for more discreet, smaller targets and attack them more frequently.
BlackCat has also decided to remove the additional cost they charge for working with them and has banned discounts to companies that they have exploited in the past.
Industry experts believe that this move by the ransomware group is largely to try and encourage additional customers as cyber criminals are likely to move away from the BlackCat product due to concerns about security and the threat of law enforcement with BlackCat customers likely to move to other ransomware providers.
Analysts on the dark web have found evidence of other ransomware groups already trying to poach BlackCat developers as well which will also be a large blow to the reputation of the organisation.