The ALPHV/Blackcat group, an affiliate of Russian-associated ransomware, claims to have hacked an intelligence and communications company based in the US – Ultra Intelligence tour Communications. Hackers linked to the ALPHV ransomware group claimed a cyber attack against Ultra Intelligence tour Communications. Despite the cyber attack claims, the company’s website appeared to be functioning without showing any signs of damage.
About the ALPHV/Blackcat Ransomware Attack on Ultra Intelligence & Communications
December 27, 2023, the website of Ultra Intelligence and Communications has been posted on the dark web data leak website. Investigations has continued on the effects of Ultra Intelligence and Communications’s cyberattack and what kind of ransom demands to the ALPHV group.
The US government departments that use the GCMI technology include the Department of Defense, the FBI, the DEA, NATO, and AT&T, but there are many more users of Ultra Intelligence and Communications to provide critical tactical capabilities, such as cybersecurity and remote cryptographic management.
The most advanced feature of the Ultra I&C is control and intelligence, which helps warfighting organizations achieve better situational awareness, accelerate information dissemination and decisions, and thereby achieve better decision-making outcomes.
What is ALPHV/Blackcat Ransomware and How Does it Work?
ALPHV/Blackcat Ransomware is a ransomware-as-a-service operation, meaning that the actual attackers are affiliates who use the group’s infrastructure and tools to encrypt victim data; the actual spearphishing and data exfiltration are conducted by affiliates. This makes the group much more capable of conducting massive campaigns against various target organisations. There are many ransomware operations that follow similar models.
ALPHV/Blackcat Ransomware achieves this goal by employing complex encryption and detection evasion techniques. The attackers exploit multiple Mitre Attack TTPs to inflict damage over time. When I say ‘multiple’, I literally mean ‘multiple’. Mitre Attack TTPs are essentially the set of tools, techniques and procedures that attackers use and recommend to each other. Mitre describes attacker tactics, techniques and procedures in terms that would be fully understood by practitioners.
Though the ALPHV/Blackcat website was taken down by the FBI in 2023, organisations need to keep their guard up and invest in the best cybersecurity by implementing principles such as the NIST framework to prevent ransomware attacks from the next generation of ransomware payment teams.
The FBI’s takedown eventually disrupted ALPHV/Blackcat ransomware but, following its public disclosure, the group said it had re-seized the domain and website. This was a big win against this particular ransomware threat, but organisations must continue to take every step so as not to fall victim to a different ransomware variant if their systems lack robust cyber defences.
ALPHV/Blackcat Ransomware Attack Mitre Att&ck TTPs
Here are some of the Mitre Att&ck TTPs related to the ALPHV/Blackcat ransomware group:
- T1082: Using an exploit to gain access to the computer or network or through weak, default or guessable passwords, threat actors gain initial access on the target network after which they can deploy ransomware.
- T1070: The attackers use phishing emails or malicious attachments/links to lure unsuspecting users into executing a malware payload, like ransomware.
- T1243: Execution Without Authorization: The adversary installs unapproved software on the targeted host to perform the deployment of the ransomware file at the end.
- T1204: The adversary places the ransomware payload on the remote system and disseminates it to other systems within the environment.
These Mitre Attack TTPs both provide insight into, and suggest defence strategies for, ALPHV/Blackcat Ransomware attacks, as they illustrate how real-world attackers leverage them to achieve their objectives. Organisations can use them to improve their cybersecurity posture.
For more cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.
Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.
Discover more from The SOC Labs
Subscribe to get the latest posts sent to your email.