Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Malware

BlackCat Ransomware aka “ALPHV” infections on the rise

Kyle by Kyle
June 16, 2022
in Malware
0
76
SHARES
1.2k
VIEWS
Share on FacebookShare on Twitter

As the ransomware-as-a-service (RaaS) industry grows, more ransomware players come into the mix. BlackCat, also known as ALPHV, is a growing ransomware threat with the ability to target multiple devices and operating systems.

You might also like

Syslogk Linux Rootkit triggers with magic packets

State-sponsored Iranian Hackers utilize .NET DNS Backdoor in new Attack

Emotet Banking Trojan Re-Emerges After Take Down by Law Enforcement

ALPHV is also a unique piece of ransomware malware due to the programming language it was written in (Rust). The ransomware can also target devices other than Windows, utilizing multiple points of entry, and has affiliations with multiple big-name threat actors.

ALPHV was first discovered in November 2021, and initially made headlines due to the Rust programming language it was written in. Due to the malware authors writing the ransomware in a more modern language, the payload can evade detection with ease. It also may prevent some security solutions from analyzing and parsing the ransomware’s binary due to this new programming language. Microsoft has witnessed successful attacks infecting both Windows and Linux devices and even VMWare instances.

ALPHV Threat actors leveraging Microsoft Exchange server vulnerabilities

Microsoft is now reporting that the ALPHV ransomware is utilizing Microsoft Exchange vulnerabilities to exploit unpatched servers.

In one instance, Microsoft’s security team has observed the threat actor(s) laterally move through a victim’s network, stealing data, and credentials that were used for double extortion (threatening to release data if the ransom is not paid).

Two weeks following the compromise of the unpatched Exchange server, the adversary deployed the AlPHV payload to machines on the network utilizing Microsoft’s tool, PsExec.

“While the common entry vectors for these threat actors include remote desktop applications and compromised credentials, we also saw a threat actor leverage Exchange server vulnerabilities to gain target network access,” stated the Microsoft 365 Defender Threat Intelligence Team.

Microsoft did not mention the Exchange vulnerabilities utilized in the attacks, but they linked to a security advisory from March 2021.

Microsoft also did not name the ransomware threat actors, but in a case study, they stated multiple cybercrime groups are utilizing this RaaS actively in the wild.

ALPHV Entry Microsoft Exchange
ALPHV entry via the Microsoft Exchange vulnerability, source Microsoft

Cybercriminals are switching to ALPHV/BlackCat

A collective of cybercriminals being tracked under the callsign FIN12, known for deploying malware such as Conti, Hive, and Ryuk ransomware which mainly targeted the healthcare sector.

We’ve observed that this group added BlackCat to their list of distributed payloads beginning March 2022,” Microsoft explained.

“Their switch to BlackCat from their last used payload (Hive) is suspected to be due to the public discourse around the latter’s decryption methodologies.”

The ALPHV ransomware is also being deployed by another group tracked under the name DEV-0504. This group normally exfiltrates data from their victims utilizing the malware Stealbit, which is provided by the “LockBit gang” as a part of their RaaS services.

DEV-0504 uses other ransomware such as BlackMatter (December 2021), Ryuk, Revil, Conti, and LockBit 2.0.

Microsoft suggests all organizations review their identity posture, update all vulnerable Microsoft Exchange servers, and monitor any outside access to their networks.

The threat grows

This past April the FBI released a flash alert warning of the new ransomware threat. They had observed the networks of over 60 organizations worldwide get encrypted by the new threat between November 2021 and March 2022.

“Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations,” the FBI indicated.

The real number of ALPHV victims is more than likely a lot higher than what had been observed by the threat analysis team. More than 480 samples have been submitted to the ID-Ransomware platform between November 2021 and June 2022.

BlackCat Ransomware activity
BlackCat/ALPHV ransomware activity. Source, ID-Ransomware

In the FBI’s April alert, they asked IT admins and security teams that run into ALPHV/BlackCat activity within their networks to gather and report any information they have to their local FBI Cyber unit.

Some helpful information to crack down on these threat actors include “IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.”

For more information on ransomware, and how you can defend yourself, check out our other news reports, here.

Source: Microsoft's Security Blog
Tags: ALPHVBlackCatmicrosoftransomware
Share31Tweet19
Kyle

Kyle

Co-owner, writer, and editor at ZeroSecurity. Security, Blockchain, and SEO enthusiast. "Formal education will make you a living; self-education will make you a fortune."

Recommended For You

Syslogk Linux Rootkit triggers with magic packets

by Christi Rogalski
June 19, 2022 - Updated on June 20, 2022
0
Syslogk Linux Rootkit triggers with magic packets

Avast researchers have spotted a Linux rootkit that has the ability to hide malicious processes. The new Linux rootkit, called Syslogk, works by using magic packets to activate...

Read more

State-sponsored Iranian Hackers utilize .NET DNS Backdoor in new Attack

by Kyle
June 12, 2022
0
Lycaeum APT DNS hijacking backdoor

An Advanced Persistent Threat (APT) hacking group based out of Iran going by the name Lycaeum has been seen using a .NET-based DNS backdoor to target organizations within...

Read more

Emotet Banking Trojan Re-Emerges After Take Down by Law Enforcement

by Paul Anderson
June 10, 2022
0
Emotet Banking Trojan 2022

Botnet Emotet has re-emerged after being taken down by a multinational joint task force operation in January 2021. The developers behind Emotet have been given credit as one...

Read more

LuoYu Hacker Collective using New Techniques to Deploy WinDealer Backdoor

by Kyle
June 8, 2022
0
LuoYu Windealer advanced persistent threat actor

Researchers at Kaspersky Labs have discovered a new attack by Advanced persistent threat (APT) actor LuoYu utilizing the known malware WinDealer. WinDealer has the unique ability to perform...

Read more

New Malware Targeting Windows Subsystem for Linux

by Christi Rogalski
June 3, 2022 - Updated on June 4, 2022
0
Windows Subsystem for Linux

New threats are on the rise with operating systems becoming increasingly interoperable. Corporate environments using Windows Subsystem for Linux (WSL) need to be wary. Black Lotus Labs has...

Read more
Next Post
Bluetooth research leads to tracking

Are Bluetooth signals being used to track smartphones?

Related News

Google Chrome Extension fingerprinting source

Google Chrome exposes user extensions to fingerprinting

July 1, 2022
Downthem DDoS Service owner sentenced

Downthem DDoS service owner gets a 2-year prison sentence

June 30, 2022
Cloudflare record breaking DDoS

Cloudflare Stops Record-Breaking DDoS

June 29, 2022
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
    • Tools
  • Data Breaches
  • Malware
  • Privacy
  • Contact Us

© 2022 ZeroSecurity, All Rights Reserved.