FBI Identifies BlackCat/ALPHV Ransomware Indicators of Compromise

May 02, 2022 - The Federal Bureau of Investigation (FBI) warned organizations of BlackCat/ALPHV ransomware-as-a-service (RaaS) in its latest flash alert. The RaaS group has compromised at least 60 organizations worldwide.

The Health Sector Cybersecurity Coordination Center (HC3) echoed the FBI’s alert, noting that multiple developers and money launderers for BlackCat/ALPHV were also linked to DarkSide and BlackMatter, DarkSide’s rumored successor.

DarkSide claimed responsibility for the cyberattack on US critical infrastructure entity Colonial Pipeline in May, which resulted in supply chain disruptions and motivated President Biden to sign an executive order on improving cybersecurity nationwide. 

In a previous brief, HC3 said that BlackMatter claimed to incorporate the “best features of DarkSide, LockBit 2.0, and REvil/Sodinokibi. BlackCat/ALPHV’s connection to BlackMatter and DarkSide indicates that “they have extensive networks and experience with ransomware operations,” HC3 stated.

As a result, healthcare organizations should remain on high alert against ransomware attacks and other cyber threats.

The FBI’s flash alert noted that BlackCat/ALPHV was the first ransomware group to successfully compromise entities using RUST, which is known to be a more secure programming language. The threat actors typically request several million dollars in Bitcoin and Monero as their ransom.

“BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim system. Once the malware establishes access, it compromises Active Directory user and administrator accounts,” the alert explained.

“The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial deployment of the malware leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise.”

The RaaS group is known to steal victim data before it executes ransomware, even from cloud providers where company data was stored. The threat actors then use Windows scripting to deploy ransomware and compromise additional hosts.

“The FBI does not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” the alert emphasized.

“However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers.”

The FBI recommended that organizations review domain controllers, active directories, servers, and workstations for unrecognized user accounts. In addition, entities should regularly back-up data, air gap, and password-protect backup copies.

Other general best practices were encouraged, including multifactor authentication, network segmentation, and regular patching.