The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency are releasing this joint CSA to disseminate known IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service identified through FBI investigations as recently as Dec. 6, 2023.
Since previous reporting, ALPHV Blackcat actors released a new version of the malware, and the FBI identified over 1000 victims worldwide targeted via ransomware and/or data extortion.
FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidents.
In February 2023, ALPHV Blackcat administrators announced the ALPHV Blackcat Ransomware 2.0 Sphynx update, which was rewritten to provide additional features to affiliates, such as better defense evasion and additional tooling.
This ALPHV Blackcat update has the capability to encrypt both Windows and Linux devices, and VMWare instances.
ALPHV Blackcat affiliates have extensive networks and experience with ransomware and data extortion operations.
According to the FBI, as of September 2023, ALPHV Blackcat affiliates have compromised over 1000 entities-nearly 75 percent of which are in the United States and approximately 250 outside the United States-, demanded over $500 million, and received nearly $300 million in ransom payments.
ALPHV Blackcat affiliates use advanced social engineering techniques and open source research on a company to gain initial access.
ALPHV Blackcat affiliates use uniform resource locators to live-chat with victims to convey demands and initiate processes to restore the victims' encrypted files.
After gaining access to a victim network, ALPHV Blackcat affiliates deploy remote access software such as AnyDesk, Mega sync, and Splashtop in preparation of data exfiltration.
After gaining access to networks, ALPHV Blackcat affiliates use legitimate remote access and tunneling tools, such as Plink and Ngrok [S0508].
ALPHV Blackcat affiliates claim to use Brute Ratel C4 [S1063] and Cobalt Strike [S1054] as beacons to command and control servers.
ALPHV Blackcat affiliates use the open source adversary-in-the-middle attack [T1557] framework Evilginx2, which allows them to obtain multifactor authentication credentials, login credentials, and session cookies.
Some ALPHV Blackcat affiliates exfiltrate data after gaining access and extort victims without deploying ransomware.
After exfiltrating and/or encrypting data, ALPHV Blackcat affiliates communicate with victims via TOR [S0183], Tox, email, or encrypted applications.
ALPHV Blackcat affiliates pose as company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from employees to access the target network.
ALPHV Blackcat affiliates use compromised accounts to gain access to victims' networks.
ALPHV Blackcat affiliates obtain passwords from local networks, deleted servers, and domain controllers.
FBI and CISA recommend organizations implement the mitigations below to improve your organization's cybersecurity posture based on threat actor activity and to reduce the risk of compromise by ALPHV Blackcat threat actors.
Implementing FIDO/WebAuthn authentication or Public key Infrastructure-based MFA [CPG 2.H]. These MFA implementations are resistant to phishing and not susceptible to push bombing or SIM swap attacks, which are techniques known be used by ALPHV Blackcat affiliates.
This Cyber News was published on www.cisa.gov. Publication date: Tue, 19 Dec 2023 18:20:13 +0000