ALPHV, also known as BlackCat or Noberus, is a sophisticated ransomware group targeting critical infrastructure and various organizations, including being the most active group used to attack the financial services sector.
ALPHV first appeared in November 2021 and operates on a Ransomware-as-a-Service (RaaS) model, allowing affiliates to use its malware for their own attacks in exchange for a cut of the ransom payments. This approach has enabled the group to rapidly expand its reach and target a wider range of victims. Some of the better-known attacks conducted by ALPHV or its affiliates are
There is a great deal of institutional knowledge available on ALPHV, which will enable us to delve into its attack methods, the type of damage the group inflicts, and most importantly, how to defend against an ALPHV attack. The information is detailed in a joint advisory issued earlier this year by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), along with information derived from Trustwave SpiderLabs research.
The group was targeted and severely disrupted by law enforcement in late 2023, but popped back up several months later at which time, it defrauded one of its affiliates stealing the ransom payment allegedly made by UnitedHealth. However, before the takedown, the FBI credited ALPHV and its affiliates with more than 1,000 attacks worldwide.
ALPHV BlackCat affiliates are masters of social engineering. They launch initial attacks by impersonating IT or helpdesk personnel, tricking employees into revealing login credentials through phone calls or SMS messages. They also leverage open-source intelligence gathering to gain a deeper understanding of a company's vulnerabilities before striking.
ALPHV is also known for exploiting vulnerabilities to gain access. A few of its favored vulnerabilities to target are Microsoft Exchange Server Vulnerabilities, including CVE-2021-31207, CVE-2021-34473 , and CVE-2021-34523.
Once inside a network, the attackers deploy remote access tools like AnyDesk, MegaSync, and Splashtop to facilitate data exfiltration. They often create a user account with the name "aadmin" and exploit Kerberos token generation to gain broader domain access. Additionally, they utilize legitimate tools like Plink and Ngrok for remote access and tunneling, making their activity appear less suspicious.
For maintaining contact with the malware, ALPHV BlackCat leans on tools like Brute Ratel C4 and Cobalt Strike as command-and-control servers. The arsenal also includes Evilginx2, an open-source framework that allows them to bypass multi-factor authentication (MFA) and steal login credentials, session cookies, and even passwords from domain controllers, local networks, and even deleted backups. This enables them to move laterally across the network undetected.
To avoid detection, the attackers employ various techniques. One tactic involves whitelisting applications like Metasploit, making them appear legitimate. They also clear logs on the exchange server after installing malware on the domain controller. Finally, they utilize file-sharing platforms like Mega.nz or Dropbox to exfiltrate stolen data before deploying the ransomware itself. The ransom note is typically embedded as a file named "file.txt." Public reports also suggest they use POORTRY and STONESTOP to terminate security processes, further hampering detection and response efforts.
It's important to note that ALPHV BlackCat doesn't always deploy ransomware. In some cases, they exfiltrate data after gaining access and then use it for extortion purposes, bypassing the encryption stage altogether.
However, when they are after a quick financial gain, ALPHV BlackCat offers its victims "cyber remediation advice" as an incentive for ransom payment. This tactic is an attempt to coerce victims into paying a ransom by promising "vulnerability reports" and "security recommendations" detailing how they breached the system.
ALPHV BlackCat's encryption process results in files with a specific naming convention: "RECOVER-(seven-digit extension) FILES.txt." This information can be crucial for identifying infected systems and taking swift action.
Because ALPHV’s tactics, techniques, and procedures are known, CISA and Trustwave SpiderLabs can offer some critical steps organizations can take to fortify their defenses against ALPHV BlackCat and similar ransomware threats:
Additionally, adopting an Offensive Security mindset will help tick many of the boxes above. An Offensive Security program will identify assets by creating a comprehensive inventory of the digital assets at hand. This step includes primary, subsidiary domains, third-party services, and external-facing endpoints that could be potential targets. It will also include assessing the organization’s threat landscape.
Next, a managed detection and response (MDR) solution can be brought on board. MDR protects against ransomware through a combination of advanced technology and human expertise. Here are some key ways MDR helps:
Trustwave Security Colony also offers a free Ransomware Assessment tool that an organization can complete and receive a score that indicates their ability to identify, protect, detect, respond, and recover from a ransomware attack. The organization can then use that score to shore up its defenses or to reach out to a security vendor for further assistance.
Implementing these security measures and remaining vigilant, organizations can significantly reduce their risk of falling victim to ALPHV BlackCat and other ransomware attacks. Remember, a layered security approach is key to building robust defenses.