US agencies update advisory on ALPHV Blackcat ransomware targeting healthcare sector

U.S. agencies have released an updated joint advisory on the ALPHV Blackcat ransomware group. This update includes new indicators of compromise (IOCs) and details on the tactics, techniques, and procedures (TTPs) linked to the ALPHV Blackcat ransomware-as-a-service (RaaS). It has been noted that affiliates of ALPHV Blackcat are predominantly focusing their attacks on the healthcare sector.

The CISA, the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) call upon critical infrastructure organizations to implement the recommendations in the advisory, to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidents.

The advisory disclosed that ALPHV Blackcat affiliates use advanced social engineering techniques and open-source research on a company to gain initial access. “Actors pose as company IT and/or helpdesk staff and use phone calls or SMS messages to obtain credentials from employees to access the target network. ALPHV Blackcat affiliates use uniform resource locators (URLs) to live-chat with victims to convey demands and initiate processes to restore the victims’ encrypted files.”

Coming close to a December advisory that contained updated information on the TTPs employed by ALPHV Blackcat affiliates, the latest advisory provides updates to the FBI FLASH BlackCat/ALPHV Ransomware Indicators of Compromise released April 2022. The ALPHV Blackcat hackers have since employed improvised communication methods by creating victim-specific emails to notify of the initial compromise. 

Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized. This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.

Last February, the ALPHV Blackcat administrators announced the ALPHV Blackcat Ransomware 2.0 Sphynx update, which was rewritten to provide additional features to affiliates, such as better defense evasion and additional tooling. The ALPHV Blackcat update was identified to have had the capability to encrypt both Windows and Linux devices and VMware instances. ALPHV Blackcat affiliates have extensive networks and experience with ransomware and data extortion operations.

After gaining access to a victim network, ALPHV Blackcat affiliates deploy remote access software such as AnyDesk, Mega sync, and Splashtop in preparation of data exfiltration. ALPHV Blackcat affiliates create a user account, ‘aadmin,’ and use Kerberos token generation for domain access. After gaining access to networks, they use legitimate remote access and tunneling tools, such as Plink and Ngrok. 

It also revealed that the ALPHV Blackcat affiliates claim to use Brute Ratel C4 and Cobalt Strike as beacons to command and control servers. “ALPHV Blackcat affiliates use the open source adversary-in-the-middle attack framework Evilginx2, which allows them to obtain multi-factor authentication (MFA) credentials, login credentials, and session cookies. The actors also obtain passwords from the domain controller, local network, and deleted backup servers to move laterally throughout the network.” 

To evade detection, affiliates employ allowlisted applications such as Metasploit. Once installed on the domain controller, the logs are cleared on the exchange server. Then Mega[dot]nz or Dropbox are used to move, exfiltrate, and/or download victim data. The ransomware is then deployed, and the ransom note is embedded as a file[dot]txt. 

According to public reporting, affiliates have additionally used ‘Poortry’ and ‘Stonestop’ to terminate security processes. Some ALPHV Blackcat affiliates exfiltrate data after gaining access and extort victims without deploying ransomware. After exfiltrating and/or encrypting data, ALPHV Blackcat affiliates communicate with victims via TOR, Tox, email, or encrypted applications. The cyber hackers then delete victim data from the victim’s system.

The advisory also pointed out that ALPHV Blackcat affiliates offer to provide unsolicited cyber remediation advice as an incentive for payment, offering to provide victims with ‘vulnerability reports’ and ‘security recommendations’ detailing how they penetrated the system and how to prevent future re-victimization upon receipt of ransom payment. The ALPHV Blackcat encryptor results in a file with the following naming convention: RECOVER-(seven-digit extension) FILES[dot]txt. 

CISA, the FBI, and HHS urge network defenders to review the updated joint advisory to protect and detect malicious activity. Due to the threat, ALPHV Blackcat’s poses in the healthcare sector, healthcare organizations can look to the healthcare and public health (HPH) sector cybersecurity performance goals to implement cybersecurity protections against the most common threats, 

It also identified that TTPs used against this sector by securing remote access tools by implementing application controls to manage and control execution of software, including allowlisting remote access programs; identifying, detecting, and investigating abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool; and implementing user training on social engineering and phishing attacks. 

The advisory also called for implementing internal mail and messaging monitoring; implementing free security tools to prevent cyber threat actors from redirecting users to malicious websites to steal their credentials, and installing and maintaining antivirus software.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.