As the ransomware-as-a-service (RaaS) industry grows, more ransomware players come into the mix. BlackCat, also known as ALPHV, is a growing ransomware threat with the ability to target multiple devices and operating systems.
ALPHV is also a unique piece of ransomware malware due to the programming language it was written in (Rust). The ransomware can also target devices other than Windows, utilizing multiple points of entry, and has affiliations with multiple big-name threat actors.
ALPHV was first discovered in November 2021, and initially made headlines due to the Rust programming language it was written in. Due to the malware authors writing the ransomware in a more modern language, the payload can evade detection with ease. It also may prevent some security solutions from analyzing and parsing the ransomware’s binary due to this new programming language. Microsoft has witnessed successful attacks infecting both Windows and Linux devices and even VMWare instances.
ALPHV Threat actors leveraging Microsoft Exchange server vulnerabilities
Microsoft is now reporting that the ALPHV ransomware is utilizing Microsoft Exchange vulnerabilities to exploit unpatched servers.
In one instance, Microsoft’s security team has observed the threat actor(s) laterally move through a victim’s network, stealing data, and credentials that were used for double extortion (threatening to release data if the ransom is not paid).
Two weeks following the compromise of the unpatched Exchange server, the adversary deployed the AlPHV payload to machines on the network utilizing Microsoft’s tool, PsExec.
“While the common entry vectors for these threat actors include remote desktop applications and compromised credentials, we also saw a threat actor leverage Exchange server vulnerabilities to gain target network access,” stated the Microsoft 365 Defender Threat Intelligence Team.
Microsoft did not mention the Exchange vulnerabilities utilized in the attacks, but they linked to a security advisory from March 2021.
Microsoft also did not name the ransomware threat actors, but in a case study, they stated multiple cybercrime groups are utilizing this RaaS actively in the wild.
Cybercriminals are switching to ALPHV/BlackCat
A collective of cybercriminals being tracked under the callsign FIN12, known for deploying malware such as Conti, Hive, and Ryuk ransomware which mainly targeted the healthcare sector.
We’ve observed that this group added BlackCat to their list of distributed payloads beginning March 2022,” Microsoft explained.
“Their switch to BlackCat from their last used payload (Hive) is suspected to be due to the public discourse around the latter’s decryption methodologies.”
The ALPHV ransomware is also being deployed by another group tracked under the name DEV-0504. This group normally exfiltrates data from their victims utilizing the malware Stealbit, which is provided by the “LockBit gang” as a part of their RaaS services.
DEV-0504 uses other ransomware such as BlackMatter (December 2021), Ryuk, Revil, Conti, and LockBit 2.0.
Microsoft suggests all organizations review their identity posture, update all vulnerable Microsoft Exchange servers, and monitor any outside access to their networks.
The threat grows
This past April the FBI released a flash alert warning of the new ransomware threat. They had observed the networks of over 60 organizations worldwide get encrypted by the new threat between November 2021 and March 2022.
“Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations,” the FBI indicated.
The real number of ALPHV victims is more than likely a lot higher than what had been observed by the threat analysis team. More than 480 samples have been submitted to the ID-Ransomware platform between November 2021 and June 2022.
In the FBI’s April alert, they asked IT admins and security teams that run into ALPHV/BlackCat activity within their networks to gather and report any information they have to their local FBI Cyber unit.
Some helpful information to crack down on these threat actors include “IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.”
For more information on ransomware, and how you can defend yourself, check out our other news reports, here.