The BlackCat ransomware group, also known as ALPHV, has targeted the Austrian federal state of Carinthia, demanding $5 million to open the encrypted devices. The attack happened on Tuesday and has caused significant operational interruption to government systems, with the threat actor apparently locking thousands of workstations.
The website and email services for Carinthia are temporarily unavailable, and the government is unable to issue new passports or traffic penalties. The intrusion also halted the processing of COVID-19 testing and contact tracking through the region’s administrative offices.
According to Gerd Kurath, a state spokeswoman, the hackers offered to deliver a functioning decryption program for $5 million. However, it was told to Euractiv that the attacker’s demands would not be honored. The press spokesperson further revealed that there is presently no proof that BlackCat was successful in stealing data from the state’s networks, and the aim is to restore the workstations using backups.
The first of the 3,000 systems impacted, as per Kurath, should be operational again today. At the time of writing, there is no material from Carinthia on BlackCat’s data leak site, where hackers post files taken from victims who did not pay a ransom. This might be a sign of a recent incident or that discussions with the victim are still ongoing.
In November 2021, the ALPHV/BlackCat ransomware gang emerged as one of the more advanced ransomware attacks. They are a rebrand of the DarkSide/BlackMatter gang, which was responsible for the attack on the Colonial Pipeline last year. BlackCat affiliates launched attacks on high-profile companies and brands, including the Moncler fashion group and Swissport airline freight handling services provider, at the start of 2022.
By the end of the first quarter of the year, the FBI had issued a warning that BlackCat had infiltrated at least 60 companies worldwide, cementing its position as one of the most active and deadly ransomware programs on the market. The attack on Carinthia and the hefty ransom demands reveal that the threat actor targets businesses who can afford to pay a considerable sum of money to have their systems decrypted and avoid further financial losses due to protracted operational interruption.