AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Windows blocking qtox8/3/2023 We must pay special attention to their goals, as well as their recruitment processes for associates and possible insider threats. They have invested time and capital to position themselves as one of the main threat actors in 2022, having specialists from BlackMatter, who previously was DarkSide. The ALPHV-BLACKCAT Ransomware group is not new in the cyberspace. Image 39: TTPs mapped to MITRE ATT&CK Arsenal SHA-256: 1048a41107f4d9a68c1f5fc0b99ac75dc198047f18bb6e50f3d462f262b8f6cdīy inspecting the binary, it is possible to find evidence indicating that it was built with the RUST programming language. The malware used corresponds to BlackCat, which comes from the criminal group called “ALPHV”.It was identified that the executable encrypts system files through thread creation, privilege escalation, deletion of shadow volumes, deletion of configuration processes, and removal of services.Additionally, more campaigns in the region of this type, reported in the last quarter of the year, were identified using a variant of BlackCat, whose purpose is to obtain access and control of the infected computer, stealing sensitive information such as user credentials, logs, among others. This time, the ransomware was identified in the month of June 2022 by the Ocelot Threat Intelligence team, which contains an executable file that has been present within the region infecting companies. This group has been infecting companies with its BlackCat Ransomware, encrypting their files, with the intention of extorting the affected companies by requesting payment for the “ransom” of their information. Through open sources, executable files belonging to the ALPHV group have been identified. They have a tool to carry out the exfiltration, that is called: ExMatter, which as its name suggests belongs to the BlackMatter Ransomware group. ALPHV-BLACKCAT steals the data of the victims before the execution of the ransomware.BlackCat Ransomware also leverages Windows administrative tools and Microsoft Sysinternals during the compromise.The initial implementation of the malware leverages PowerShell scripts along with Cobalt Strike and disables security features within the victim’s network.The malware uses Windows Task Scheduler to configure malicious Group Policy (GPO) for persistence.Once the malware establishes access, it compromises the Active Directory user and administrator accounts.The ALPHV-BLACKCAT Ransomware group also performs targeted attacks via spear phishing.The ALPHV-BLACKCAT Ransomware group leverages previously compromised user credentials (with some stealer) to gain initial access to the victim system.The BOX (RUST Programming Libraries) has creation date on November 2021 however, each sample seems to be customized for every campaign.BlackCat Ransomware is developed in RUST.Image 16: Update of the leak publication Highlights Ransomware BlackCat Soon after, profiles began to emerge in private Russian forums, where specialists were recruiting for a “pentesting project”, this was the first sign of life of ALPHV-BLACKCAT.īelow is the timeline of ALPHV-Blackcat evolution: They started as DarkSide, and due to the persecution, hunting and shutdown of part of their infrastructure by US intelligence units, they had to retire and regroup, changing their name and eventually returning to the criminal scene as BlackMatter, a group that lasted only a few months, until the collaboration of the US and Russia forced them to shut down again.Įven though they had changed their name, the US government agencies hunting and the connection of BlackMatter with critical infrastructure attacks, made them fear a potential retaliation and therefore, they announced the dismantling of the group, without giving further explanation. ALPHV is not a group of amateurs, they are a group of criminals who has been evolving and learning from mistakes made in the past. Some context before diving into this research. Throughout this profiling you will be able to know more valuable information about this group. However, they are not focused on random attacks, or spam campaigns (without a specific goal), all their attacks are focused to predefined targets through partners, who join forces to carry out attacks on previously profiled victims, which explains why the building of malware pieces (made in RUST) and infection methodology are specific to each case. The scheme under which this ransomware operates is through Ransomware-as-a-Service (RaaS). Among the target industries of this group are construction, energy, financial, logistics, manufacturing, pharmaceuticals, retail, and technology. The ALPHV Ransomware group also known as BlackCat has positioned itself in the Top 5 of most active ransomware groups. By Ramses Vazquez & Miguel Gonzalez from Metabase Q’s Ocelot Team Context DARKSIDE/BLACKMATTER/ALPHV-BLACKCAT
0 Comments
Read More
Leave a Reply. |