In the recent cyberattacks, the notorious ALPHV/Blackcat ransomware group targeted energy sector companies in the U.S., Canada, and Spain.
ALPHV/Blackcat Targeted Trans-Northern Pipeline (A Canadian Oil and Gas Industry Company)
On February 13, 2024, ALPHV/Blackcat ransomware group posted Trans-Northern Pipeline on its dark web data leak website. In November 2023, the ALPHV/BlackCat ransomware gang penetrated Trans-Northern Pipelines’ internal network. TNPI is now investigating allegations of data theft of 190 GB made by this group.
TNPI has a capacity of 221,300 barrels (35,200m3) per day. It operates 850 km (528 miles) of pipeline in southern Ontario and Quebec and another 320 km (198 miles) in Alberta. In a press release issued by TNPI, the company said “We have worked with third-party cybersecurity experts, and the incident was quickly contained. We continue to safely operate our pipeline systems. We are aware of posts on the dark web claiming to contain company information, and we are investigating those claims.”
ALPHV/Blackcat Targets Energy Sector Companies Across the U.S., Canada, and Spain
In addition to the Trans-Northern Pipeline, over the past 72 hours, the ransomware group has listed several critical infrastructure targets from the energy sector across various Western countries. These targets include:
1. Lower Valley Energy (US): This is a U.S.-based energy company.
2. Sercide (Spain): SerCide is a Spanish energy company.
3. Rush Energy (Canada): Rush Energy is a Canadian energy company.
🔐In the last 48hrs ALPHV #ransomware has listed a number of critical infrastructure targets.
– Lower Valley Energy (US)
– Sercide (Spain)
– Rush Energy (Canada)
– Trans-Northern Pipelines (Canada) pic.twitter.com/v4tWbTyKOE— Dark Web Dispatch (@DarkWebDispatch) February 13, 2024
ALPHV/Blackcat Known For Targeting Critical Infrastructure
ALPHV/Blackcat is one of the most active groups on the ransomware-as-a-service model. It began operations in November 2021, going after the critical infrastructure organisations across the US. Security researchers and the security communities on the dark web roughly agree that ALPHV/Blackcat ransomware stemmed from DarkSide and BlackMatter ransomware gangs whose members allegedly walked out of the gangs and started their own new ransomware gang called ALPHV/Blackcat. In 2023, based on ransomware.live, the ALPHV (aka Blackcat/BlackCat) came in second with the most cyber-attacks, with LockBit standing at the top.
On December 19, 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint cyber security advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTP) associated with the ALPHV/Blackcat ransomware-as-a-service (RaaS). According to the CSA, as of September 2023, the ALPHV/BlackCat ransomware gang had collected over $300 million in ransom payments from over 1,000 victims worldwide, according to the Federal Bureau of Investigation (FBI).
On 19 December 2023, the cyber security advisory (CSA) jointly released by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) disseminates known indicators of compromise (IOCs) and tactics, techniques and procedures (TTP) employed by the ALPHV/Blackcat ransomware-as-a-service (RaaS). Since its emergence, the ALPHV/BlackCat ransomware gang, as of September 2023, had targeted and successfully extorted more than 1,000 victims in over 70 countries, collecting over $300 million in ransomware extortion payments, according to the FBI.
In addition, the U.S. Department of Justice (DOJ) released an official statement to have seized the ALPHV/Blackcat ransomware infrastructure; however, hours after the FBI’s claim, the group claimed to have unseized their domain and website after the FBI’s disclosure.
These attacks come at a time when FBI Director Christopher Wray warns of threats from Chinese Volt Typhoon hackers to U.S. critical infrastructure.
As ransomware attacks are significantly increasing, it is always recommended for organizations to take cybersecurity with utmost seriousness and implement necessary preventive measures to tackle ransomware attacks.
For more cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.
Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.
Discover more from The SOC Labs
Subscribe to get the latest posts sent to your email.