Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Malware

BlackCat Ransomware aka “ALPHV” infections on the rise

Kyle by Kyle
June 16, 2022 - Updated on July 20, 2022
in Malware
0
Blackcat ALPHV ransomware
78
SHARES
1.3k
VIEWS
Share on FacebookShare on Twitter

As the ransomware-as-a-service (RaaS) industry grows, more ransomware players come into the mix. BlackCat, also known as ALPHV, is a growing ransomware threat with the ability to target multiple devices and operating systems.

You might also like

Emotet now utilizing Onenote for its spam campaigns

Netwire RAT seized by FBI and other worldwide police agencies

The Emotet botnet returns and is sending a slew of malicious emails

ALPHV is also a unique piece of ransomware malware due to the programming language utilized (Rust). The ransomware can also target devices other than Windows, utilizing multiple points of entry, and has affiliations with multiple big-name threat actors.

ALPHV was first discovered in November 2021, and initially made headlines due to the Rust programming language it was written in. Due to the malware authors writing the ransomware in a more modern language, the payload can evade detection with ease. It also may prevent some security solutions from analyzing and parsing the ransomware’s binary due to this new programming language. Microsoft has witnessed successful attacks infecting both Windows and Linux devices and even VMWare instances.

ALPHV Threat actors leveraging Microsoft Exchange server vulnerabilities

Microsoft is now reporting that the ALPHV ransomware is utilizing Microsoft Exchange vulnerabilities to exploit unpatched servers.

In one instance, Microsoft’s security team has observed the threat actor(s) laterally move through a victim’s network, stealing data, and credentials that were used for double extortion (threatening to release data if the ransom is not paid).

Two weeks following the compromise of the unpatched Exchange server, the adversary deployed the AlPHV payload to machines on the network utilizing Microsoft’s tool, PsExec.

“While the common entry vectors for these threat actors include remote desktop applications and compromised credentials, we also saw a threat actor leverage Exchange server vulnerabilities to gain target network access,” stated the Microsoft 365 Defender Threat Intelligence Team.

Microsoft did not mention the Exchange vulnerabilities utilized in the attacks, but they linked to a security advisory from March 2021.

Microsoft also did not name the ransomware threat actors, but in a case study, they stated multiple cybercrime groups are utilizing this RaaS actively in the wild.

ALPHV Entry Microsoft Exchange
ALPHV entry via the Microsoft Exchange vulnerability, source Microsoft

Cybercriminals are switching to ALPHV/BlackCat

A collective of cybercriminals being tracked under the callsign FIN12, known for deploying malware such as Conti, Hive, and Ryuk ransomware which mainly targeted the healthcare sector.

We’ve observed that this group added BlackCat to their list of distributed payloads beginning March 2022,” Microsoft explained.

“Their switch to BlackCat from their last used payload (Hive) is suspected to be due to the public discourse around the latter’s decryption methodologies.”

The ALPHV ransomware is also being deployed by another group tracked under the name DEV-0504. This group normally exfiltrates data from their victims utilizing the malware Stealbit, which is provided by the “LockBit gang” as a part of their RaaS services.

DEV-0504 uses other ransomware such as BlackMatter (December 2021), Ryuk, Revil, Conti, and LockBit 2.0.

Microsoft suggests all organizations review their identity posture, update all vulnerable Microsoft Exchange servers, and monitor any outside access to their networks.

The threat grows

This past April the FBI released a flash alert warning of the new ransomware threat. They had observed the networks of over 60 organizations worldwide get encrypted by the new threat between November 2021 and March 2022.

“Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations,” the FBI indicated.

The real number of ALPHV victims is more than likely a lot higher than what had been observed by the threat analysis team. More than 480 samples have been submitted to the ID-Ransomware platform between November 2021 and June 2022.

BlackCat Ransomware activity
BlackCat/ALPHV ransomware activity. Source, ID-Ransomware

In the FBI’s April alert, they asked IT admins and security teams that run into ALPHV/BlackCat activity within their networks to gather and report any information they have to their local FBI Cyber unit.

Some helpful information to crack down on these threat actors include “IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.”

For more information on ransomware, and how you can defend yourself, check out our other news reports, here.

Source: Microsoft's Security Blog
Tags: ALPHVBlackCatmicrosoftransomware
Share32Tweet19
Kyle

Kyle

Co-owner, writer, and editor at ZeroSecurity. Security, Blockchain, and SEO enthusiast. "Formal education will make you a living; self-education will make you a fortune."

Recommended For You

Emotet now utilizing Onenote for its spam campaigns

by Kyle
March 26, 2023
0
Emotet now utilizing Onenote for its spam campaigns

The infamous Emotet malware has adopted a new tactic to spread its infection. Cybercriminals are now distributing the malware via email attachments in Microsoft OneNote format. The move...

Read more

Netwire RAT seized by FBI and other worldwide police agencies

by Christi Rogalski
March 16, 2023
0
Netwire RAT seized by FBI and other worldwide police agencies

The FBI, in partnership with several police agencies worldwide, has carried out an international law enforcement operation resulting in the arrest of a suspected administrator of the NetWire...

Read more

The Emotet botnet returns and is sending a slew of malicious emails

by Kyle
March 14, 2023
0
The Emotet botnet returns and is sending a slew of malicious emails

The notorious Emotet botnet, considered one of the biggest threats to internet security, has resurfaced after a prolonged hiatus, armed with new tactics. The botnet's trademark strategy of...

Read more

Update-resistant malware infects SonicWall security appliances

by Paul Anderson
March 12, 2023
0
Update-resistant malware infects SonicWall security appliances

Researchers have discovered that threat actors linked to the Chinese government are using malware to infect SonicWall's Secure Mobile Access 100, a popular security appliance, which remains active...

Read more

Fake ChatGPT websites are popping up and spreading malware

by Paul Anderson
March 1, 2023 - Updated on March 2, 2023
0
ChatGPT is found spreading malware created in Python

It was only a matter of time before hackers would start using the growing popularity of ChatGPT to spread malware and steal sensitive personal information. Recently, multiple security...

Read more
Next Post
Bluetooth research leads to tracking

Are Bluetooth signals being used to track smartphones?

Related News

Emotet now utilizing Onenote for its spam campaigns

Emotet now utilizing Onenote for its spam campaigns

March 26, 2023
ChipMixer platform tied to crypto laundering scheme – seized by authorities

ChipMixer platform tied to crypto laundering scheme – seized by authorities

March 17, 2023
NSA intercepting U.S. Routers

NSA intercepting U.S. Routers

June 6, 2014 - Updated on March 17, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.