On April 22nd, the Federal Bureau of Investigation (FBI) issued a flash alert to highlight malicious cyber activity by threat actors using BlackCat/ALPHV ransomware-as-a-service (RaaS) that had targeted and compromised at least 60 entities worldwide. The ransomware group is the first to do so using RUST– a secure, blazingly fast and memory-efficient programing language. Details of the various tactics, techniques, and procedures (TTPs) are described in FBI Flash Alert CU-000167-MW. According to the information currently available, many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/BlackMatter, indicating they have extensive networks and experience with ransomware operations. BlackCat-affiliated threat actors have demanded ransom payments ranging between $400,000 to $3 million payable in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. However, if victims pay in bitcoin there is an additional 15% fee added to the ransom.
Technical details about BlackCat/ALPHV RaaS
Based on the information available the BlackCat/ALPHV ransomware includes several innovative and advanced features that distinguish it from other ransomware services. The ransomware is entirely command-line driven, human-operated, and highly configurable, with the ability to use different encryption routines, spread between computers, kill virtual machines and ESXi (Bare metal hypervisor) VMs, and automatically wipe ESXi snapshots to prevent recovery.
- BlackCat leverages previously compromised user credentials to gain initial access to the victim system and then leverages them to compromise Active Directory (AD) user and administrator accounts.
- The Windows Task Scheduler is then used to configure malicious Group Policy Objects (GPOs) to deploy ransomware.
- When launching the ransomware, the attackers can use a console-based user interface allowing them to monitor the progression of the attack.
- Initial deployment of the malware leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network.
- Other actions taken during this “setup” process include the clearing of Recycle Bin, deleting Shadow Volume Copies, scanning for other network devices, and connecting to a Microsoft cluster if one exists.
- BlackCat/ALPHV also uses the Windows Restart Manager API to close processes or shut down Windows services keeping a file open during encryption.
- Ransom notes are preconfigured by the attackers and are different for each victim. Some ransom notes include the types of data stolen and a link to a Tor data leak site where the victims can preview stolen data.
BlackCat/ALPHV threat actors claim the malware is cross-platform with support for multiple operating systems including:
- All line of Windows from 7 and higher (tested on 7, 8.1, 10, 11; 2008r2, 2012, 2016, 2019, 2022); XP and 2003 can be encrypted over SMB.
- ESXI (tested on 5.5, 6.5, 7.0.2u)
- Debian (tested on 7, 8, 9);
- Ubuntu (tested on 18.04, 20.04)
- ReadyNAS, Synology
What You Should Do Now
The sophisticated BlackCat/ALPHV ransomware allows threat actors to perform a wide variety of targeted malicious activities on a victim’s computer. We understand the seriousness of this threat and have updated our Hacker’s Playbook with 6 new attacks that allow you to test your security controls against BlackCat/ALPHV and ensure that your organization does not fall victim to this new threat. Below is a list of the newly added attacks:
- #7013 – Pre-execution phase of BlackCat_ALPHV malware (Host-Level)
- #7014 – Write BlackCat_ALPHV malware to disk (Host-Level)
- #7015 – Transfer of BlackCat_ALPHV malware over HTTP/S (Lateral Movement)
- #7016 – Transfer of BlackCat_ALPHV malware over HTTP/S (Infiltration)
- #7017 – Email BlackCat_ALPHV malware as a ZIP attachment (Lateral Movement)
- #7018 – Email BlackCat_ALPHV malware as a ZIP attachment (Infiltration)
Additionally, it has been observed that the threat actors are leveraging Mimikatz to extract credentials. We recommend you also consider running the following attack to ensure protection against Mimikatz-based credential-harvesting attacks.
- #1220- Inject Mimikatz using PowerShell to Extract Credentials
Additional recommendations from the FBI to ensure protection against BlackCat/ ALPHV:
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
- Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Review antivirus logs for indications they were unexpectedly turned off.
- Implement network segmentation.
- Require administrator credentials to install the software.
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
- Use multi-factor authentication where possible.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Audit user accounts with administrative privileges and configure access controls with the least privilege in mind.