BlackCat Ransomware Operation Disrupted! ???? Decryptor Released! ????

Dec 20 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that all it wants for Christmas (cough cough hackers) is the #EpsteinClientList ????????????

Today’s hottest cybersecurity news stories:

  • ???? FBI skins BlackCat ransomware, releases free encryption tool ????

  • ???? Marty, it’s the Iranians! MuddyC2Go is a go, go… Oh no, no! ????

  • ???? PikaBot is scraping the bottom of the barrel in terms of malware ????

FBI says right BlackCat you scumbags ????????????

???? BlackCat Ransomware Operation Disrupted! ???? Decryptor Released! ????

In a major victory against cybercrime, the U.S. Justice Department has officially dismantled the BlackCat ransomware operation, providing victims with a decryption tool to unlock their files. ???????? Court documents reveal the FBI's strategic move, enlisting a confidential human source to hack the hackers by gaining access to BlackCat's web panel.

???? BlackCat, also known as ALPHV and Noberus, emerged in December 2021, becoming the second most prolific ransomware-as-a-service after LockBit. Notably, it's the first ransomware using the Rust language.

???? The FBI's efforts saved victims from $68 million in ransom demands, working closely with victims to implement the decryptor. The operation exposed the inner workings of BlackCat, collecting 946 key pairs used in TOR sites, leading to the group's dismantlement.

???? BlackCat, employing a ransomware-as-a-service model, compromised over 1,000 global victims, earning illicit revenues in the hundreds of millions. Its double extortion scheme pressured victims by exfiltrating sensitive data before encryption.

???? What's Next?

With BlackCat out of the picture, rival groups like LockBit are seizing the opportunity, actively recruiting displaced affiliates and resuming victim negotiations on their data leak site.

???? Kudos to the FBI for taking down BlackCat and safeguarding countless victims! ????????

The best eye and brain candy curated from all corners of the web

No news. No politics. No BS.

Just the good stuff

100% Free

MuddyC2Go before you go, go ????????????

???? Cyber Threat Alert: MuddyWater Strikes Telecom Sectors with MuddyC2Go! ????

The notorious Iranian nation-state actor, MuddyWater, has unleashed a new command-and-control (C2) framework called MuddyC2Go in targeted attacks on the telecommunications sectors in Egypt, Sudan, and Tanzania. ????

???? Muddying the Waters ????

Symantec's Threat Hunter Team, tracking this activity under the alias Seedworm, reveals MuddyWater's affiliation with Iran's Ministry of Intelligence and Security (MOIS) since 2017, focusing on entities in the Middle East. ????️‍♂️????

MuddyC2Go, a Golang-based successor to PhonyC2, grants remote access to victim systems via a PowerShell script, eliminating the need for manual execution. Recent intrusions in November 2023 employed SimpleHelp, Venom Proxy, a custom keylogger, and other publicly available tools.

The attack methodology includes weaponized phishing emails and exploiting unpatched application vulnerabilities for initial access, followed by reconnaissance, lateral movement, and data collection. Symantec details incidents targeting telecom organisations, utilising AnyDesk, SimpleHelp, and MuddyC2Go launchers.

Notably, MuddyWater adapts and evolves its toolset, emphasising the persistent use of PowerShell-related tools, urging organisations to monitor suspicious PowerShell activity.

???? Global Cyber Landscape Update ????

Meanwhile, an Israel-linked group, Gonjeshke Darande, claims responsibility for disrupting Iran's gas pumps in response to regional aggression. The group, associated with the Israeli Military Intelligence Directorate, resurfaced in October 2023 after a year of silence, conducting destructive attacks on Iranian facilities.

???? Catch of the Day!! ????????????

???? The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can't get fooled again.” Good ol’ George Dubya ???? Let us tell who’s not fooling around though; that’s the Crüe ???? at Motley Fool. You’d be a fool (alright, enough already! ????) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ???? Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ???? (LINK)


???? Wander: Find your happy place. Cue Happy Gilmore flashback ????️⛳????????️ Mmmm Happy Place… ???? So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ????️???? (LINK)


???? Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ???????? (Great movie, to be fair ????). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty ????). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho ???? And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ???? (LINK)

My plumber’s here and I think I can PikaBot ????

???? Malware Alert: PikaBot Strikes in Malvertising Campaign! ????????

Beware, tech enthusiasts! The PikaBot malware loader is on the prowl, infiltrating systems through a cunning malvertising campaign that targets users searching for legit software like AnyDesk. ????️????

Discovered by Malwarebytes, PikaBot, previously distributed via malspam campaigns, has become the preferred payload for the notorious threat actor TA577 since early 2023. This malware family operates as a backdoor and payload distributor, granting unauthorised remote access to compromised systems.

TA577, a cybercrime heavyweight, utilises PikaBot to execute various malicious tools, including Cobalt Strike. The latest twist involves a malicious Google ad for AnyDesk leading victims to a fake website with a sneaky MSI installer hosted on Dropbox.

What's alarming is the sophistication of the malvertising chain, involving fingerprinting, redirection, and a second round of checks to avoid virtual environments. ????????

???? Malvertising on the Rise ????

Malwarebytes reports a surge in malicious ads on Google searches for popular software like Zoom, Advanced IP Scanner, and WinSCP. This wave introduces a new loader called HiroshimaNukes and FakeBat, both adept at bypassing detection mechanisms. ????????️‍♂️

As if that's not enough, a Chrome extension framework named ParaSiteSnatcher is making waves, designed to compromise users in Latin America. It manipulates web sessions and intercepts sensitive information.

Stay vigilant and ensure your cybersecurity measures are up to the challenge! ????????

????️ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Libby Copa: The Rebel Newsletter helps writers strengthen their writing and creative practice, navigate the publishing world, and turn their art into an act of rebellion.

  • Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles