FBI announces tool to combat ransomware tied to MGM cyberattack

The tool will allow users to unlock and recover their computer systems, according to the Justice Department.

The MGM Grand Hotel & Casino in Las Vegas.Ethan Miller / Getty Images file
SHARE THIS —

A coalition of U.S. and European law enforcement agencies has disrupted a ransomware operation, one of the largest currently active, that uses malicious software to lock up victims’ computer networks and demand payment, according to the Justice Department.

The department said Tuesday that it was releasing a decryption tool to help victims free their computer systems from the malicious software used by the group.

The strain of software, called Alphv, was most famously tied to the September cyberattack against MGM Resorts. It so successfully wormed into MGM networks that the company had to shut down substantial parts of their computer systems, leading to casino floor shutdowns, hotel keycards not working, and internal email outages. MGM later said in a Securities and Exchange Commission filing that the attack and its fallout cost them around $100 million.

Beyond the MGM hack, Alphv has been deployed against multiple U.S. hospitals and local governments in the last year, said Brett Callow, an analyst at the cybersecurity company Emsisoft.

Ransomware operations often put two kinds of pressure on a victim organization: by encrypting their computers to lock out their owners and by publishing private, potentially sensitive hacked material on a custom website on the dark web. The tactic has served as an effective method of extracting payment from numerous corporations and governments.

Alphv and a related strain of ransomware, Blackcat, have contributed to the collection of more than $200 million in ransom payments since late 2021, according to a spokesperson for Chainalysis, a company that tracks cryptocurrency payments.

Tuesday’s action seeks to counter both of those. Alphv’s website is now stripped of victim files, and instead displays a banner that reads that it has been seized by law enforcement. 

Alphv and the MGM hack represented a significant escalation in disparate cybercriminal groups working together.

The hackers who gained initial access to the MGM operations appeared to be a small group of young native English speakers who partnered with the Russian-speaking Alphv developers. The FBI previously said they are investigating those English-speaking hackers, but law enforcement has yet to announce any action against them.

In a sworn affidavit associated with a search warrant related to the case, an FBI agent said that law enforcement has been aided by a confidential informant “who routinely provides reliable information related to ongoing cybercrime investigations.”

Alphv is developed from previous ransomware strains, including the one that was used to shut down the payment systems of Colonial Pipeline in 2021, leading to some gas shortages in the U.S.

There is little indication that the Justice Department disruption will have lasting effects. The group developing Alphv primarily speaks Russian and is widely believed to reside in Russia, where Western law enforcement has no jurisdiction. Russian ransomware operators rarely face penalties from law enforcement there.