BlackCat/ALPHV
Formation2021
TypeHacking
Parent organization
FIN7, DarkSide (hacker group)

BlackCat, also known as ALPHV [1] and Noberus[2] is a ransomware family written in Rust, that made its first appearance in November 2021. By extension, it's also the name of the threat actor(s) that exploit it.

BlackCat operates on a ransomware as a service (RaaS) model, with developers offering the malware for use by affiliates and taking a percentage of ransom payments. For initial access, the ransomware relies essentially on stolen credentials obtained through initial access brokers. The group operates a public data leak site to pressure victims to pay ransom demands.

The group has targeted hundreds of organizations worldwide, including Reddit in 2023. Since its first appearance, it is one of the most active ransomware.[3]

Description

The group behind BlackCat utilizes mostly double extortion tactic but sometimes includes triple extortion which involves exposing exfiltrated data and threatening to launch distributed denial-of-service (DDoS) attacks on victims’ infrastructure.[4]

BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero and have accepted ransom payments below the initial ransom demand amount. According to the FBI, many of the developers and money launderers for BlackCat/ALPHV are linked to DarkSide/Blackmatter, indicating they have extensive networks and experience with ransomware operations.[1]

The group is known for being the first ransomware to create a public data leaks website on the open internet. Previous cyber gangs typically published stolen data on the dark web. BlackCat's innovation was to post excerpts or samples of victims' data on a site accessible to anyone with a web browser. Security experts believe the tactic is intended to demonstrate more credibility to their claims of breaching victims' systems and increase pressure on organizations to pay ransoms to prevent full public exposure of their data.[5] The group also mimics its victims' websites to post stolen data on typo squatted replicas on the web.[6]

In its early campaigns, Royal ransomware used the encryptor tool called "BlackCat".[7]

History

Beginning (2021-2022)

The malware was first observed by researchers from the MalwareHunterTeam in mid-November 2021.[4]

By April 2022, the Federal Bureau of Investigation (FBI) released an advisory that several developers and money launderers for BlackCat had links to two defunct ransomware as a service (RaaS) groups – DarkSide and BlackMatter.[4] According to some experts, the ransomware might be a rebranding of DarkSide, after their attack on the Colonial Pipeline.[8] It might also be a successor to REvil cybercriminal group.[5]

Throughout 2022, BlackCat compromised and extorted numerous high-profile organizations globally including universities, government agencies and companies in the energy, technology, manufacturing, and transportation sectors. Reported victims include Moncler, Swissport, North Carolina A&T, Florida International University, the Austrian state of Carinthia, Regina Public Schools, the city of Alexandria, the University of Pisa, Bandai Namco, Creos, Accelya, GSE, NJVC, EPM, and JAKKS Pacific.[9]

In September 2022, a report noted that the ransomware was using the Emotet botnet.[4]

In late May 2022, a European government was attacked and asked US$5 million in ransom.[4]

Sphynx variant (2023)

At the beginning of the year 2023, Blackcat attacked Grupo Estrategas EMM, NextGen Healthcare, Solar Industries India, Instituto Federal Do Pará, Munster Technological University, and Lehigh Valley Health Network.[9]

In February 2023, a variant called "Sphynx" was released with updates to increase speed and stealth. As of May 2023, the group is estimated to have targeted over 350 victims globally since its emergence.[2]

In June 2023, the group claimed responsibility for a February 2023 breach of Reddit's systems. On their data leak site, they claimed that they stole 80 GB of compressed data and demanded a $4.5 million ransom from Reddit. This attack did not involve data encryption like typical ransomware campaigns.[10]

Takedown (December 2023)

Website seizure notice

On December 19, 2023 the group's website was replaced with an image: a message from the FBI claiming "The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Alphv Blackcat Ransomware.”[11]

The FBI announced that same day they had "disrupted" the ALPHV/BlackCat group by seizing multiple websites as well as releasing a decryption tool. The tool could be used by ransomware victims to decrypt their files without paying the ransom. [12]

Tactics and techniques

The gang uses Emotet botnet malware as an entry point. It also uses Log4J Auto Expl to propagate the ransomware laterally within the network.[4]

Threat actors associated with BlackCat were observed using hijacked webpages of legitimate organizations to redirect users to pages hosting malware. The rogue WinSCP installer distributed a backdoor containing a Cobalt Strike Beacon for follow-on intrusion activities. The access afforded by Cobalt Strike was used to conduct reconnaissance, lateral movement, data exfiltration, and tampering with security software. The threat actors gained domain admin privileges and began setting up backdoors before the attack was discovered.[13]

The group abuses Group Policy Objects (GPOs) to distribute malware and disable security controls across networks.[14]

The malware uses tools like ExMatter to steal sensitive data before deploying ransomware to encrypt files.[9]

The ransomware incorporates techniques like junk code and encrypted strings to avoid detection. Once executed, BlackCat performs network discovery to find more systems to infect, deletes volume shadow copies, encrypts files, and drops a ransom note demanding cryptocurrency.[2]

Uses

MGM and Caesars

Scattered Spider, an affiliate of ALPHV users (and speculated by some outlets to be a subgroup of ALPHV[15]) made up primarily of British and American hackers, worked with ALPHV in its September 2023 ransomware attacks against MGM Resorts International and Caesars Entertainment, the two largest casino operators and gaming companies in Las Vegas and some of the largest in the world. The hackers demanded a $30 million USD ransom from Caesars, which paid $15 million to the hackers. MGM, however, did not pay the ransom and instead shut down all systems for a period of weeks. This further affected MGM's online offerings, such as its sports betting platform BetMGM.[16][17][18]

Motel One

ALPHV was also used to conduct a ransomware attack against Motel One, though the company stated that its normal business operations were never at risk. The hackers were able to access some customer data and an estimated 150 credit cards.[15]

References

  1. 1 2 "FBI Releases IOCs Associated with BlackCat/ALPHV Ransomware | CISA". www.cisa.gov. 2022-04-22. Retrieved 2023-07-14.
  2. 1 2 3 Ravie, Lakshmanan (2023-06-01). "Improved BlackCat Ransomware Strikes with Lightning Speed and Stealthy Tactics". The Hacker News. Retrieved 2023-07-25.
  3. "BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration". Security Intelligence. Retrieved 2023-07-25.
  4. 1 2 3 4 5 6 "Ransomware Spotlight: BlackCat - Security News". www.trendmicro.com. Retrieved 2023-07-14.
  5. 1 2 "The Royal & BlackCat Ransomware: What you Need to Know | Tripwire". www.tripwire.com. Retrieved 2023-07-26.
  6. Labs, Cyware. "ALPHV/BlackCat Clones Victim's Website to Post Stolen Data | Cyware Hacker News". Cyware Labs. Retrieved 2023-07-26.
  7. "Ransomware Spotlight: Royal – Security News". www.trendmicro.com. Retrieved 2023-07-11.
  8. "Breaking Down the BlackCat Ransomware Operation". cisecurity.org. 7 July 2022.
  9. 1 2 3 Labs, Cyware. "The Rise of BlackCat Ransomware: A Dark Tale of Cybercrime | Cyware | Research and Analysis". Cyware Labs. Retrieved 2023-07-26.
  10. "The Week in Ransomware - June 23rd 2023 - The Reddit Files". BleepingComputer. Retrieved 2023-07-25.
  11. Hay Newman, Lily (Dec 19, 2023). "A Major Ransomware Takedown Suffers a Strange Setback". Wired. Archived from the original on Dec 20, 2023.
  12. "Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant". U.S. Department of Justice. Dec 19, 2023.
  13. Lakshmanan, Ravie (Jul 3, 2023). "BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising". The Hacker News. Retrieved 2023-07-25.
  14. "BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration". Security Intelligence. Retrieved 2023-07-25.
  15. 1 2 Page, Carly (2023-10-03). "Motel One says ransomware gang stole customer credit card data". TechCrunch. Retrieved 2023-10-03.
  16. Siddiqui, Zeba; Satter, Raphael; Satter, Raphael (2023-09-22). "'Power, influence, notoriety': The Gen-Z hackers who struck MGM, Caesars". Reuters. Retrieved 2023-10-03.
  17. "Hackers tied to Las Vegas attacks known for sweet-talking their way into company systems". NBC News. 2023-09-15. Retrieved 2023-10-03.
  18. Brewer, Contessa; Goswami, Rohan (2023-09-14). "Caesars paid millions in ransom to cybercrime group prior to MGM hack". CNBC. Retrieved 2023-10-03.

See also

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.