What is ALPHV/BlackCat?
When it comes to ransomware there are few criminal gangs more successful than ALPHV. This Russian-speaking crew, also known as BlackCat thanks to the icon that appears on every victim’s payment negotiation page, has a reputation for technical and criminal innovation.
Here’s everything you need to know about this ransomware-as-a-service criminal enterprise.
Related reading: Clop ransomware MOVEit attacks exposed email addresses of 632,000 Pentagon employees
Table of contents:
- Who’s behind ALPHV/BlackCat ransomware?
- How does ALPHV/BlackCat ransomware work?
- Who does ALPHV/BlackCat target?
- What can you do to protect yourself from ALPHV/BlackCat ransomware attacks?
Who’s behind ALPHV/BlackCat ransomware?
The history of the ALPHV/BlackCat ransomware group extends beyond November 2021 when it emerged onto the cybercrime scene.
In fact, it is thought to have evolved from another high-profile group known as DarkSide. DarkSide was best known for the ransomware attack against the Colonial Pipeline energy company in May 2021, which led to increased global law enforcement interest.
DarkSide itself was comprised of former affiliates of the ReVIL group and operated on a ransomware-as-a-service model. All of these groups do business using Russian language, dark web criminal forums.
An FBI advisory published in April 2022 suggests there is enough evidence to link ALPHV/BlackCat developers to these groups.
How does ALPHV/BlackCat ransomware work?
From a technical perspective, the ALPHV/BlackCat ransomware was the first known to be written using the Rust programming language. This is important as Rust makes malware analysis more difficult, and that includes being able to extract the decryptor through reverse engineering.
The software itself is capable of encrypting (and exfiltrating) data on Linux and Windows devices, and even virtual machines using VMware. As well as being cross platform, it can also be customised for each target.
ALPHV favours two attack methodologies. The first is our old friend unpatched vulnerabilities, the second targeted spearphishing. This largely depends, however, on who is responsible for the attack in question.
Using the ransomware-as-a-service model, attacks are handled by ‘affiliates’ who earn as much as 90% of ransoms paid, based on the size of the final payment. This means there is no strict playbook of tactics, techniques and procedures for any ransomware deployment.
Affiliates are recruited through criminal forums. Once approved, they get access to the malware and a sophisticated control panel. They use this to deploy the ransomware and employ additional pressure on victims to pay by using a triple-extortion process.
As well as stealing data and then encrypting the source, a public ‘leak site’ is employed to share data. Finally, there’s the ability to launch denial of service attacks to add to the chaos.
Who does ALPHV/BlackCat target?
The sad truth of the matter is that no organisation, no industry sector, is safe. So far, attacks have targeted everything from financial to manufacturing, from retail to education, not to mention government agencies.
We saw this in 2022, when American defence contractor NJVC was hit. In 2023, ALPHV/BlackCat shifted its targets to 2023 MGM Resorts International (including its casinos), the Northwest Florida state court and Western Digital.
You may have seen the MGM attack attributed to Scattered Spider, a relatively new group of threat actors, but that’s because it is an ALPHV/BlackCat affiliate.
Geographically speaking, ALPHV appears to favour the US and Europe. And due no doubt to the huge ransoms being demanded, it has lately focused on larger organisations.
What can you do to protect yourself from ALPHV/BlackCat ransomware attacks?
As already mentioned, ALPHV favours spearphishing and unpatched vulnerabilities. On the former method, we have seen specific employees and directors targeted to gain login credentials. On the latter, it loves two-year-old Microsoft Exchange server flaws, or even older ones impacting Windows, plus vulnerabilities in firewalls and VPNs.
Therefore, the best way to protect yourself from ALPHV/BlackCat ransomware attacks is through basic security hygiene. First, implement both phishing awareness training and multi-factor authentication to protect credentials. Second, ensure high-risk vulnerabilities are patched as soon as possible.
These should be considered a bare minimum when it comes to attack mitigation, but we would go a step further.
Network segregation, VLANs and access management
Because ALPHV/BlackCat is ‘human operated’ ransomware, rather than an automated process, lateral movement once inside a network is progressed using a number of highly effective tools. That’s why you should consider network segregation/isolation by employing VLANs. If every machine on a network can see every other machine, the attackers will quickly and easily scan for valuable target destinations.
Employing the principle of least privilege, whereby users are only able to access networks and data that are required by their job function, is another mitigation tactic that can prevent lateral network movement.
In essence, anything that you can do to reduce the attack surface, to make your networks less traversable and your data less accessible, means ransomware attacks are less likely to succeed.
Less likely is not the same as guaranteed to fail, of course. It is essential, therefore, that your organisation should also have a robust and well-rehearsed incident response plan should the worst-case scenario come into play. This will make damage limitation and recovery much easier during times of extreme stress.
We cover more about incident response plans in our ransomware guide: cyberattack demons vs angels.
Additional reading
NEXT UP
Why Rotterdam is a tech haven: a love letter from a startup
We reached out to Kees Wolters asking for a comment on Rotterdam as one of the best cities in Europe for tech workers – he sent us what amounted to a love letter to the city, which we decided to publish in full (with his consent), below.
Verizon and Skylo launch direct-to-device messaging using satellites
Verizon and Skylo partnered to launch a direct-to-device messaging service for customers and Internet of Things (IoT) enthusiasts.
IBM pushes for EU to make AI open and collaborative
If the EU wants to remain a global digital leader then it needs to make AI open and trusted. So says IBM in its new digital policy agenda for Europe.