BlackCat/ALPHV: A New Age Ransomware Threat
BlackCat, also known as ALPHV or Noberus, emerged in November 2021 as a ransomware-as-a-service (RaaS) operation. The group responsible for exploiting BlackCat ransomware is considered a significant threat in the cybercriminal world. This article examines the history, tactics, and impact of the BlackCat/ALPHV ransomware group.
Origins and Early Activity
While the origins of BlackCat/ALPHV are not definitively known, the FBI believes many of the developers and money launderers for BlackCat/ALPHV are linked to previous ransomware operations, DarkSide and Blackmatter. This suggests the group possesses extensive experience and networks within the ransomware landscape. Some experts have theorized BlackCat is a rebranding of DarkSide, which gained notoriety in May 2021 for its attack on the Colonial Pipeline. Others believe it could be a successor to the REvil cybercriminal group, which was dismantled in late 2021.
BlackCat distinguished itself as the first ransomware group to establish a public data leak website on the open internet. Prior to this, ransomware gangs primarily relied on the dark web to publish stolen data. BlackCat's tactic of posting excerpts or samples of victim data on a publicly accessible website was seen as an attempt to bolster the credibility of their claims, applying additional pressure on victims to pay the ransom. The group was also known to mimic victims’ websites, using typo-squatting to post stolen data on replica sites.
Technical Details and Tactics
BlackCat/ALPHV ransomware, written in the Rust programming language, leverages compromised user credentials for initial access to a victim’s system. Once inside, it compromises Active Directory user and administrator accounts, and uses Windows Task Scheduler to deploy ransomware through malicious Group Policy Objects (GPOs). The initial deployment typically involves PowerShell scripts in conjunction with Cobalt Strike, a legitimate penetration testing tool frequently used for malicious purposes. BlackCat also disables security features within the victim's network and utilizes Windows administrative and Microsoft Sysinternals tools throughout the compromise.
BlackCat/ALPHV employs a double extortion tactic:
- Data Exfiltration: Before deploying the ransomware, BlackCat/ALPHV steals victim data, including information stored on cloud providers.
- Ransomware Deployment: The ransomware is executed, encrypting files and leaving a ransom note demanding cryptocurrency payment.
The group has also been observed using triple extortion, which adds the threat of distributed denial-of-service (DDoS) attacks against victims’ infrastructure.
BlackCat/ALPHV actors prioritize remaining undetected, employing tactics such as:
- Use of allowlisted applications (like Metasploit) to evade detection.
- Clearing logs on the exchange server after installing on the domain controller.
- Using encrypted chat applications (like TOR and Tox) to communicate with victims.
- Incorporating junk code and encrypted strings into the ransomware to evade detection.
After infiltrating a system, BlackCat/ALPHV will:
- Perform network discovery to identify additional systems for infection.
- Delete volume shadow copies.
- Employ tools like ExMatter to steal sensitive data.
Specific tools and techniques observed being used by BlackCat/ALPHV affiliates include:
- Advanced social engineering techniques
- Open source research to profile targets
- Posing as company IT or helpdesk staff to gain trust and obtain credentials
- Exploiting publicly exposed and vulnerable Veritas Backup Exec installations
- Utilizing tools like Advanced IP Scanner, ADRecon, and LAZAGNE to conduct reconnaissance and gather system information.
- Background Intelligent Transfer Service (BITS) to download additional tools
- SOCKS5 tunneling tools like LIGOLO and REVSOCKS to evade network defenses.
- Credential access tools like Mimikatz, LaZagne, and Nanodump
- Exploiting the Metasploit framework
- The Emotet botnet
- Log4J Auto Expl
The group is also known for its use of:
- Victim-specific emails to notify of the initial compromise.
- Live chat via URLs to convey demands and initiate negotiations.
Targets and High-Profile Attacks
BlackCat/ALPHV has targeted hundreds of organizations across the globe, including Reddit, Change Healthcare, and numerous universities, government agencies, and companies in various sectors.
Notable Targets:
- MGM Resorts International and Caesars Entertainment: In September 2023, Scattered Spider, an affiliate (and speculated by some to be a subgroup) of BlackCat/ALPHV, targeted these two casino giants. Caesars paid a $15 million ransom while MGM refused, leading to a weeks-long shutdown of its systems and significant financial losses.
- Reddit: In June 2023, the group claimed responsibility for a breach of Reddit's systems that occurred in February 2023. BlackCat/ALPHV stole 80 GB of compressed data and demanded a $4.5 million ransom, but this incident didn't involve the typical data encryption seen in most ransomware attacks.
- Change Healthcare: This attack in early 2024 led to the disruption of prescription drug services across the U.S. for nearly two weeks. While Change Healthcare paid a $22 million ransom, the incident sparked a chain reaction that ultimately led to BlackCat/ALPHV ceasing operations.
Timeline of Events:
2021:
- November 2021: ALPHV (BlackCat) ransomware first observed by MalwareHunterTeam.
- November 2021: ALPHV emerges as a ransomware-as-a-service (RaaS).
2022:
- March 2022: BlackCat/ALPHV compromises at least 60 entities worldwide.
- March 2022: Veritas publishes an advisory about three critical vulnerabilities in Veritas Backup Exec 16.x, 20.x and 21.x.
- April 19, 2022: FBI releases FLASH report on BlackCat/ALPHV indicators of compromise and TTPs.
- April 26, 2022: HHS releases HC3 Alert with additional indicators of compromise for BlackCat/ALPHV.
- September 23, 2022: METASPLOIT module exploiting Veritas Backup Exec vulnerabilities released.
- October 22, 2022: First observed exploitation of the Veritas vulnerabilities in the wild.
- Late May 2022: A European government targeted with a $5 million ransom demand.
2023:
- Early 2023: BlackCat attacks Grupo Estrategas EMM, NextGen Healthcare, Solar Industries India, Instituto Federal Do Pará, Munster Technological University, and Lehigh Valley Health Network.
- February 2023: "Sphynx" variant released with enhanced speed and stealth capabilities.
- February 2023: BlackCat breaches Reddit's systems, stealing 80 GB of data.
- June 2023: BlackCat claims responsibility for the February 2023 Reddit breach and demands $4.5 million ransom.
- December 10, 2023: BlackCat's primary domain goes offline, attributed to a supposed hardware failure.
- December 19, 2023: FBI seizes BlackCat's website as part of a coordinated law enforcement action.
- December 19, 2023: The Justice Department announces the disruption of BlackCat, seizes websites, and releases a decryption tool.
- December 19, 2023: CISA and the FBI release a joint Cybersecurity Advisory on BlackCat TTPs and IOCs.
2024:
- February 2024: U.S. Department of State offers rewards up to $10 million for information on BlackCat leaders and $5 million for individuals participating in BlackCat attacks.
- March 5, 2024: BlackCat ransomware group implodes after an apparent $22 million payment from Change Healthcare.
- May 2024: BlackCat attacks Hong Kong's Consumer Council.
Cast of Characters:
BlackCat / ALPHV / Noberus:
- A ransomware-as-a-service (RaaS) operation active from November 2021, known for its use of the Rust programming language and its aggressive tactics.
- Believed to have connections to the defunct DarkSide and Blackmatter ransomware groups.
- Targeted over 1,000 victims globally, including critical infrastructure and demanding millions in ransoms. Known for double extortion tactics, data theft, and public leak sites.
Federal Bureau of Investigation (FBI):
- Investigated BlackCat's activities and released multiple reports and alerts on their TTPs and IOCs.
- Played a key role in the December 2023 takedown, seizing websites and developing a decryption tool that helped over 500 victims recover data.
Cybersecurity and Infrastructure Security Agency (CISA):
- Partnered with the FBI in investigating BlackCat and issuing advisories to help organizations protect against the threat.
- Released joint Cybersecurity Advisories with the FBI on BlackCat.
U.S. Department of Justice:
- Announced the December 2023 disruption campaign against BlackCat.
- Highlighted the international cooperation involved and the impact of their actions in disrupting the group.
U.S. Department of State:
- Offered rewards in February 2024 for information leading to the identification or location of BlackCat leaders and individuals involved in attacks.
Mandiant:
- Cybersecurity firm that observed ALPHV affiliates exploiting Veritas Backup Exec vulnerabilities in October 2022.
- Published a blog post detailing the exploitation and provided mitigation recommendations.
Veritas:
- Software company that developed Backup Exec.
- Published an advisory in March 2021 about critical vulnerabilities in their software later exploited by BlackCat.
MalwareHunterTeam:
- Security researchers who first observed the BlackCat malware in November 2021.
Change Healthcare:
- Healthcare technology company that made a $22 million ransom payment to BlackCat in early 2024, potentially contributing to the group's implosion.
Reddit:
- Social media platform breached by BlackCat in February 2023, with 80 GB of data stolen and a $4.5 million ransom demanded.
Henry Schein, Fidelity National Financial, Seiko, MeridianLink:
- Companies reported as victims of BlackCat ransomware attacks in the news articles.
Europol, Zentrale Kriminalinspektion Göttingen (Germany), Australian Federal Police, UK National Crime Agency, Spanish Policia Nacional, Swiss Kantonspolizei Thurgau, Austrian Directorate State Protection and Intelligence Service:
- Law enforcement and intelligence agencies that provided substantial assistance in the BlackCat takedown, demonstrating the international effort against the group.
Law Enforcement Action and Apparent Demise
In December 2023, a collaborative effort by the FBI and international law enforcement agencies dealt a significant blow to BlackCat/ALPHV, resulting in the seizure of multiple websites used by the group. Law enforcement also released a decryption tool enabling victims to recover their files without paying a ransom. As of February 2024, the U.S. Department of State was offering rewards of up to $10 million for information leading to the identification or location of BlackCat/ALPHV leaders.
Despite attempts to re-form, BlackCat/ALPHV appears to have ceased operations following the Change Healthcare attack. An affiliate involved in the attack claimed the group cheated them out of their share of the ransom, prompting BlackCat/ALPHV to announce its closure and the sale of its ransomware source code. Many experts believe this to be an exit scam orchestrated by the group's leaders.
Conclusion
BlackCat/ALPHV represented a sophisticated and evolving threat in the cybercrime ecosystem. While their apparent demise is a significant victory for law enforcement, it serves as a stark reminder of the constant evolution of cyber threats. Organizations must prioritize robust cybersecurity practices and remain vigilant against this ever-present danger.
BlackCat/ALPHV Ransomware FAQ
What is BlackCat/ALPHV ransomware?
BlackCat, also known as ALPHV or Noberus, is a ransomware-as-a-service (RaaS) operation that emerged in November 2021. It's known for being the first major ransomware to be written in the Rust programming language, which offers improved performance and security for the attackers. BlackCat targets a variety of organizations globally, including those in critical infrastructure sectors.
How does BlackCat/ALPHV ransomware work?
BlackCat operates on a double extortion model. First, affiliates gain access to a victim's network, often through phishing or exploiting vulnerabilities. Once inside, they steal sensitive data and then deploy the ransomware, encrypting files to disrupt operations. Victims are threatened with public exposure of their stolen data if they don't pay the ransom.
What makes BlackCat/ALPHV different from other ransomware groups?
Apart from being written in Rust, BlackCat distinguishes itself through its use of advanced techniques and its willingness to target sensitive sectors like healthcare. They were also the first to host their data leak site on the clearnet, making it accessible to anyone, which increases pressure on victims to pay.
What is known about the individuals behind BlackCat/ALPHV?
While specific identities remain elusive, the FBI believes many BlackCat/ALPHV developers and money launderers are linked to the defunct DarkSide/Blackmatter ransomware operation. This suggests they have significant experience and established networks within the cybercriminal underworld.
Were there any successful takedowns or disruptions against BlackCat/ALPHV?
Yes, in December 2023, a coordinated international law enforcement operation led by the FBI disrupted BlackCat's operations. This involved seizing their websites and servers, as well as developing a decryption tool that helped many victims recover their data without paying the ransom.
Is BlackCat/ALPHV still active?
While significantly disrupted, there is debate about whether BlackCat is completely gone. Some cybersecurity researchers believe it could be rebranding or lying low before reemerging with new tactics or under a new name.
What are some common indicators of a BlackCat/ALPHV compromise?
Some signs include the presence of specific files or file extensions on systems (like the encryptor resulting in files named "RECOVER-(seven-digit extension) FILES.txt"), suspicious scheduled tasks, unauthorized network connections, and unusual entries in system logs, particularly those related to backup software.
How can organizations protect themselves from BlackCat/ALPHV and other ransomware threats?
Key steps include:
- Prioritize patching vulnerabilities: Regularly update software and operating systems.
- Enforce multi-factor authentication: Make it harder for attackers to steal credentials.
- Maintain offline backups: Ensure critical data can be restored if systems are encrypted.
- Practice good cyber hygiene: Train employees to spot phishing emails and avoid suspicious links.
- Implement network segmentation: Limit the impact of a breach by isolating critical systems.