FBI releases new details of BlackCat/ALPHV ransomware, indicating that hackers are still active

The Federal Bureau of Investigation (FBI) released on Tuesday an alert with updated details of the indicators of compromise (IOCs) used by the BlackCat/ALPHV ransomware, highlighting that the hackers continue to be active adversaries.

“As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing,” the FBI wrote in its latest FLASH alert. BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount, it added. 

Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations, the agency added. 

BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim system, the FBI said. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial deployment of the malware leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network, it added. 

The agency also identified that the BlackCat/ALPHV ransomware leverages Windows administrative tools and Microsoft Sysinternals tools during compromise. “BlackCat/ALPHV steals victim data prior to the execution of the ransomware, including from cloud providers where company or client data was stored,” it added.

“BlackCat has taken an aggressive approach to naming and shaming victims, listing more than a dozen on their leak site in a little over a month,” Palo Alto Networks said in its threat assessment on the ransomware group released in January. “The largest number of the group’s victims so far are U.S. organizations, but BlackCat and its affiliates have also attacked organizations in Europe, the Philippines, and other locations. Victims include organizations in the following sectors: construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components, and pharmaceuticals,” it added. 

As the malware itself is coded in the Rust programming language, which can be easily compiled against various operating system architectures, the firm assessed that Rust being highly customizable facilitates the ability to pivot and individualize attacks, using numerous native options. “The hackers leveraging BlackCat utilize numerous tactics that are becoming increasingly commonplace in the ransomware space, including multiple extortion techniques in some cases, such as the siphoning of victim data before ransomware deployment, threats to release data if the ransom is not paid, and distributed denial-of-service (DDoS) attacks,” Palo Alto added.

The BlackCat/ALPHV ransomware hackers were said to have been behind the February cyberattacks that affected oil transport and storage companies across Europe. At the same time, authorities say that large-scale cyberattacks have also targeted port facilities in Belgium, Germany, and the Netherlands. IT systems have been disrupted at SEA-Invest in Belgium and Evos in the Netherlands, while unconfirmed reports suggest that BlackCat ransomware may have compromised systems at Oiltanking GmbH Group and Mabanaft Group in Germany.

Following these attacks, the U.S. Department of Homeland Security (DHS) rolled out a National Terrorism Advisory System (NTAS) Bulletin concerning the continued heightened threat environment across the nation. One of the conditions of the NTAS Bulletin that contributed to the increased volatility, unpredictability, and complexity of the threat environment is the ‘continued calls for violence directed at U.S. critical infrastructure.’

Last week, U.S. security agencies and the Department of Energy (DOE) warned in a joint Cybersecurity Advisory (CSA) that specific advanced persistent threat (APT) hackers have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices. The APT hackers can also leverage the modules to interact with targeted ICS/SCADA devices, enabling operations by lower-skilled cyber hackers to emulate higher-skilled hacker capabilities. The alert was preceded by the FBI alerting the ICS community in March of ‘continued activity’ by the group responsible for deploying TRITON malware.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.