BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide

0

The Federal Bureau of Investigation (FBI) says the BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing.


BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.

The FBI revealed this in a TLP: WHITE flash alert released on Wednesday in coordination with the Cybersecurity and Infrastructure Security Agency (DHS/CISA). The flash alert is part of a series of similar reports highlighting the tactics, techniques, and procedures (TTPs) used by and indicators of compromise (IOCs) linked to ransomware variants identified during FBI investigations.

Also Read: Espionage Group Continues to hit Ukraine with new malware variants

Technical Details:

BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim system. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial deployment of the malware leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network.BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise.

Also Read: Xanpei Virus Infecting Normal Excel Files

BlackCat/ALPHV steals victim data prior to the execution of the ransomware, including from cloud providers where company or client data was stored.

The actors leverage Windows scripting to deploy ransomware and to compromise additional hosts. Forexample, the following batch and PowerShell scripts were observed:

  • start.bat – launches the ransomware executable with required arguments
  • est.bat – copies the ransomware to other locations
  • drag-and-drop-target.bat – launches the ransomware executable for the MySQL Server
  • run.bat – executes a callout command to an external server using SSH – file names may change depending on the company and systems affected
  • Runs1.ps1 – PowerShell script to disable McAfee

Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST

Indicators of Compromise:

FilenameMD5 Hash
amd – Copy.ps1861738dd15eb7fb50568f0e39a69e107
ipscan.ps19f60dd752e7692a2f5c758de4eab3e6f
Run1.ps109bc47d7bc5e40d40d9729cec5e39d73
PowerShell Scripts
[###].ps1CME.ps1
[#].ps1Run1.ps1
mim.ps1[##].ps1
psexec.ps1Systems.ps1
System.ps1
Additional PowerShell Filenames
FilenameMD5 Hash
CheckVuln.batf5ef5142f044b94ac5010fd883c09aa7
Create-share-RunAsAdmin.bat84e3b5fe3863d25bb72e25b10760e861
LPE-Exploit-RunAsUser.bat9f2309285e8a8471fce7330fcade8619
RCE-Exploit-RunAsUser.bat6c6c46bdac6713c94debbd454d34efd9
est.bate7ee8ea6fb7530d1d904cdb2d9745899
runav.bat815bb1b0c5f0f35f064c55a1b640fca5
Batch Scripts
FilenameMD5 Hash
http_x64.exe6c2874169fdfb30846fe7ffe34635bdb
spider.dll20855475d20d252dda21287264a6d860
spider_32.dll82db4c04f5dcda3bfcd75357adf98228
powershell.dllfcf3a6eeb9f836315954dae03459716d
rpcdump.exe91625f7f5d590534949ebe08cc728380
Executables and DLLs
FilenameSHA1 Hash
mimikatz.exed241df7b9d2ec0b8194751cd5ce153e27cc40fa4
run.exe4831c1b113df21360ef68c450b5fca278d08fae2
zakrep_plink.exefce13da5592e9e120777d82d27e06ed2b44918cf
beacon.exe3f85f03d33b9fe25bcfac611182da4ab7f06a442
win1999.exe37178dfaccbc371a04133d26a55127cf4d4382f8
[compromised company].exe1b2a30776df64fbd7299bd588e21573891dcecbe
Executables and DLLs
test.exexxx.exe
Mim.exexxxw.exe
crackmapexec.exeServices.exe
plink.exeSystems.exe
PsExec64.exe

Additional Observed Filenames

SHA256 Hashes:

731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161
f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb
731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161
80dd44226f60ba5403745ba9d18490eb8ca12dbc9be0a317dd2b692ec041da28
BlackCat Ransomware SHA256 Hashes

C2 IPs:

89[.]44[.]9[.]243
142[.]234[.]157[.]246
45[.]134[.]20[.]66
185[.]220[.]102[.]253
37[.]120[.]238[.]58
152[.]89[.]247[.]207
198[.]144[.]121[.]93
89[.]163[.]252[.]230
45[.]153[.]160[.]140
23[.]106[.]223[.]97
139[.]60[.]161[.]161
146[.]0[.]77[.]15
94[.]232[.]41[.]155

Mitigations:

The FBI does not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.

Also Read: SystemBC Malware Being Used by Various Threat Attackers – Initial access to Indicator of Compromise

Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to promptly report ransomware incidents to your local FBI field office. Doing so provides the FBI with critical information needed to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under US law.

  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system defined or recognized scheduled tasks for unrecognized “actions” (for example: review the steps each scheduled task is expected to perform).
  • Review antivirus logs for indications they were unexpectedly turned off.

Also Read: Detecting Office365 Azure AD Environment Backdoors

  • Implement network segmentation.
  • Require administrator credentials to install software.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Use multifactor authentication where possible.
  • Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
  • Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update antivirus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network (VPN).
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.

Source/Credits – FBI Internet Crime Complaint Center IC3


LEAVE A REPLY

Please enter your comment!
Please enter your name here