CISA
Critical infrastructure
Malware, Phishing & Ransomware
News
Risk & Compliance
System Design & Architecture
Threat Landscape
Vulnerabilities

CISA, FBI warn critical infrastructure sector of ALPHV Blackcat ransomware, data extortion incidents

December 21, 2023
CISA, FBI warn critical infrastructure sector of ALPHV Blackcat ransomware, data extortion incidents

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) containing updated information on the tactics, techniques, and procedures (TTPs) employed by ALPHV Blackcat affiliates. The advisory also includes indicators of compromise (IOCs) that have been identified through recent FBI investigations, as of Dec. 6, this year.

According to the FBI, as of September 2023, ALPHV Blackcat affiliates have compromised over 1000 entities—nearly 75 percent of which are in the U.S. and approximately 250 outside the U.S., demanded over US$500 million, and received nearly $300 million in ransom payments.

ALPHV Blackcat affiliates have extensive networks and experience with ransomware and data extortion operations. FBI investigations, as of September 2023, place the number of compromised entities at over 1000—over half of which are in the U.S. and approximately 250 outside the U.S. The latest advisory also provides updates to the FBI FLASH BlackCat/ALPHV ransomware IoCs released last April

The U.S. Department of Justice (DOJ) also announced Tuesday it had disrupted a campaign against the Blackcat ransomware group, also known as ALPHV or Noberus. The group has demonstrated high proficiency in targeting and compromising over 1,000 computer networks, resulting in significant global repercussions. Particularly concerning is their deliberate focus on infiltrating networks that support critical infrastructure within the U.S.

“In February 2023, ALPHV Blackcat administrators announced the ALPHV Blackcat Ransomware 2.0 Sphynx update, which was rewritten to provide additional features to affiliates, such as better defense evasion and additional tooling,” the CISA-FBI advisory identified. “This ALPHV Blackcat update has the capability to encrypt both Windows and Linux devices and VMWare instances. ALPHV Blackcat affiliates have extensive networks and experience with ransomware and data extortion operations.” 

ALPHV Blackcat affiliates use advanced social engineering techniques and open-source research on a company to gain initial access. Actors pose as company IT and/or helpdesk staff and use phone calls or SMS messages to obtain credentials from employees to access the target network. ALPHV Blackcat affiliates use uniform resource locators (URLs) to live chat with victims to convey demands and initiate processes to restore the victims’ encrypted files.

The advisory revealed that after gaining access to a victim network, ALPHV Blackcat affiliates deploy remote access software such as AnyDesk, Mega sync, and Splashtop in preparation for data exfiltration. “After gaining access to networks, ALPHV Blackcat affiliates use legitimate remote access and tunneling tools, such as Plink and Ngrok. ALPHV Blackcat affiliates claim to use Brute Ratel C4 and Cobalt Strike as beacons to command and control servers.” 

ALPHV Blackcat affiliates use the open-source adversary-in-the-middle attack framework Evilginx2, which allows them to obtain multi-factor authentication credentials, login credentials, and session cookies. “The actors also obtain passwords from the domain controller, local network, and deleted backup servers to move laterally throughout the network,” it added. 

The CISA and FBI said that to evade detection, affiliates employ allowlisted applications such as Metasploit. “Once installed on the domain controller, the logs are cleared on the exchange server. Then Mega[dot]nz or Dropbox are used to move, exfiltrate, and/or download victim data. The ransomware is then deployed, and the ransom note is embedded as a file[dot]txt.” 

According to public reporting, affiliates have used POORTRY and STONESTOP to terminate security processes. Some Blackcat affiliates exfiltrate data after gaining access and extort victims without deploying ransomware. After exfiltrating and/or encrypting data, these affiliates communicate with victims via TOR, Tox, email, or encrypted applications. The threat actors then delete victim data from the victim’s system.

The advisory said that the ALPHV Blackcat affiliates offer to provide unsolicited cyber remediation advice as an incentive for payment, offering to provide victims with ‘vulnerability reports’ and ‘security recommendations’ detailing how they penetrated the system and how to prevent future re-victimization upon receipt of ransom payment.

The document said that if compromise is detected, organizations should quarantine or take offline potentially affected hosts, reimage compromised hosts, provision new account credentials, and collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.

The CISA-FBI advisory called upon critical infrastructure organizations to mitigate against the threat of ransomware by taking inventory of assets and data to identify authorized and unauthorized devices and software. They also called for the prioritization of remediation of known exploited vulnerabilities; enabling and enforcing multi-factor authentication with strong passwords; closing unused ports and removing applications not deemed necessary for day-to-day operations.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights