ALPHV BlackCat Ransomware: A Technical Deep Dive and Mitigation Strategies

ALPHV, also known as BlackCat or Noberus, is a sophisticated ransomware group targeting critical infrastructure and various organizations, including being the most active group used to attack the financial services sector.

ALPHV first appeared in November 2021 and operates on a Ransomware-as-a-Service (RaaS) model, allowing affiliates to use its malware for their own attacks in exchange for a cut of the ransom payments. This approach has enabled the group to rapidly expand its reach and target a wider range of victims. Some of the better-known attacks conducted by ALPHV or its affiliates are

1. MGM Resorts: AlphV’s affiliate, Scattered Spider, was linked to a major attack on MGM Resorts
2. Caesars Entertainment: Another significant target of AlphV’s affiliate, Scattered Spider
3. UnitedHealth/Change Healthcare: The ALPHV affiliate Notchy took credit for the attack.

There is a great deal of institutional knowledge available on ALPHV, which will enable us to delve into its attack methods, the type of damage the group inflicts, and most importantly, how to defend against an ALPHV attack. The information is detailed in a joint advisory issued earlier this year by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), along with information derived from Trustwave SpiderLabs research.

The group was targeted and severely disrupted by law enforcement in late 2023, but popped back up several months later at which time, it defrauded one of its affiliates stealing the ransom payment allegedly made by UnitedHealth. However, before the takedown, the FBI credited ALPHV and its affiliates with more than 1,000 attacks worldwide.

Initial Entry: Social Engineering and Open-Source Intel

ALPHV BlackCat affiliates are masters of social engineering. They launch initial attacks by impersonating IT or helpdesk personnel, tricking employees into revealing login credentials through phone calls or SMS messages. They also leverage open-source intelligence gathering to gain a deeper understanding of a company's vulnerabilities before striking.

ALPHV is also known for exploiting vulnerabilities to gain access. A few of its favored vulnerabilities to target are Microsoft Exchange Server Vulnerabilities, including CVE-2021-31207, CVE-2021-34473 , and CVE-2021-34523. 

Gaining Control and Stealing Data

Once inside a network, the attackers deploy remote access tools like AnyDesk, MegaSync, and Splashtop to facilitate data exfiltration. They often create a user account with the name "aadmin" and exploit Kerberos token generation to gain broader domain access. Additionally, they utilize legitimate tools like Plink and Ngrok for remote access and tunneling, making their activity appear less suspicious.

For maintaining contact with the malware, ALPHV BlackCat leans on tools like Brute Ratel C4 and Cobalt Strike as command-and-control servers. The arsenal also includes Evilginx2, an open-source framework that allows them to bypass multi-factor authentication (MFA) and steal login credentials, session cookies, and even passwords from domain controllers, local networks, and even deleted backups. This enables them to move laterally across the network undetected.

To avoid detection, the attackers employ various techniques. One tactic involves whitelisting applications like Metasploit, making them appear legitimate. They also clear logs on the exchange server after installing malware on the domain controller. Finally, they utilize file-sharing platforms like Mega.nz or Dropbox to exfiltrate stolen data before deploying the ransomware itself. The ransom note is typically embedded as a file named "file.txt." Public reports also suggest they use POORTRY and STONESTOP to terminate security processes, further hampering detection and response efforts.

It's important to note that ALPHV BlackCat doesn't always deploy ransomware. In some cases, they exfiltrate data after gaining access and then use it for extortion purposes, bypassing the encryption stage altogether.

However, when they are after a quick financial gain, ALPHV BlackCat offers its victims "cyber remediation advice" as an incentive for ransom payment. This tactic is an attempt to coerce victims into paying a ransom by promising "vulnerability reports" and "security recommendations" detailing how they breached the system.

Identifying Ransomware Files and Mitigation

ALPHV BlackCat's encryption process results in files with a specific naming convention: "RECOVER-(seven-digit extension) FILES.txt." This information can be crucial for identifying infected systems and taking swift action.

Because ALPHV’s tactics, techniques, and procedures are known, CISA and Trustwave SpiderLabs can offer some critical steps organizations can take to fortify their defenses against ALPHV BlackCat and similar ransomware threats:

• Secure Remote Access: Implement application controls to manage and whitelist authorized remote access programs. Disallow unauthorized software installation and execution, especially portable versions.
• Database Security : Knowing where all your data resides is key as this is what an attacker is after and it’s impossible to protect something if you don’t know it exists.
• Robust MFA: Enforce FIDO/WebAuthn authentication or Public Key Infrastructure (PKI)-based MFA to enhance security. These methods are more resistant to phishing attacks compared to traditional methods.
• Network Monitoring: Deploy network monitoring tools that log and analyze all network traffic. This helps detect suspicious activity, including lateral movement within the network, which is a telltale sign of a potential ransomware attack. Endpoint detection and response (EDR) tools can also be valuable in identifying such anomalies.
• User Training: Conduct regular security awareness training for employees to educate them on social engineering and phishing tactics. Train them to identify suspicious emails, links, and attachments and report them promptly.
• Internal Email Monitoring: Monitor internal email and messaging traffic to identify any suspicious activity that might indicate a phishing attempt targeting employees. Analyze deviations from normal network traffic patterns.
• Antivirus Software: Install and maintain reputable antivirus software on all devices within the organization. Keep it updated regularly to ensure it can detect and block the latest malware threats.

Additionally, adopting an Offensive Security mindset will help tick many of the boxes above. An Offensive Security program will identify assets by creating a comprehensive inventory of the digital assets at hand. This step includes primary, subsidiary domains, third-party services, and external-facing endpoints that could be potential targets. It will also include assessing the organization’s threat landscape.

Next, a managed detection and response (MDR) solution can be brought on board. MDR protects against ransomware through a combination of advanced technology and human expertise. Here are some key ways MDR helps:

1. 24/7 Monitoring and Threat Detection: MDR services provide continuous monitoring of your network to detect suspicious activities and potential threats in real-time.
2. Proactive Threat Hunting: Security experts actively search for hidden threats and vulnerabilities within your systems, identifying ransomware before it can cause damage.
3. Rapid Incident Response: When a ransomware attack is detected, MDR teams quickly respond to contain and mitigate the threat, minimizing the impact on your organization.
4. Containment and Isolation: MDR solutions can isolate infected systems to prevent the spread of ransomware across your network.
5. Root Cause Analysis: After an incident, MDR teams analyze the attack to understand how it happened and implement measures to prevent future occurrences.
6. Regular Security Health Checks: Continuous assessments and updates ensure your defenses remain strong against evolving ransomware tactics.

Trustwave Security Colony also offers a free Ransomware Assessment tool that an organization can complete and receive a score that indicates their ability to identify, protect, detect, respond, and recover from a ransomware attack. The organization can then use that score to shore up its defenses or to reach out to a security vendor for further assistance.

Implementing these security measures and remaining vigilant, organizations can significantly reduce their risk of falling victim to ALPHV BlackCat and other ransomware attacks. Remember, a layered security approach is key to building robust defenses.