New ransomware group ALPHV – BlackCat

8. February 2022
| No comments
New ransomware group ALPHV - BlackCat Oiltanking

Share post

Gasoline supplier Oiltanking is a prominent victim of the new ransomware group ALPHV – BlackCat. Varonis Threat Labs: Targeted recruitment of partners through financially attractive offers with payouts of up to 90 percent of profits.

Since the end of 2021, Varonis Threat Labs have observed increased activity by the ransomware group ALPHV (also known as BlackCat), which is actively recruiting new partners as a ransomware-as-a-service (RaaS) provider, including (former) members of other gangs such as REvil, Black Matter and Dark Side. The attack on the petrol station supplier Oiltanking, which affected Shell among others, goes back to BlackCat. Other targets include larger companies across a wide range of industries including business services, construction, energy, fashion, finance, logistics, manufacturing, pharmaceuticals, retail and technology. The victims come in particular from Australia, France, Germany, Italy, the Netherlands, Spain, Great Britain and the USA. The claims range from 400.000 to 3 million US dollars.

BlackCat demands ransoms in the millions

ALPHV was first observed in November 2021 and offers ransomware as a service. The usual tactic of double extortion, in which sensitive data is stolen before encryption and the victims are threatened with publication, is expanded by a further escalation level (triple extortion): The cyber criminals also threaten a DDoS (Distributed Denial of Service) -Attack on. This indicates some experience in the field, which is why ALPHV is arguably a regrouping of known attackers rather than newcomers to this 'business'. This is also indicated by posts in cybercrime forums, which assume that ALPHV may be a further development or rebranding of BlackMatter, which in turn is a "spin-off" or successor to REvil and DarkSide. Also noteworthy is the very high payout rate for the affiliates of up to 90 percent of the ransom money received, with which new partners are very actively recruited and found in relevant communities.

Affiliate partners should get up to 90 percent ransom

In Russian-language cybercrime forums, a targeted search is made for partners (Image: Varonis).

When working with these new partners, the first intrusion into the victim network is typically done using proven techniques, such as exploiting common vulnerabilities in network infrastructure devices such as VPN gateways and abusing credentials through unprotected RDP (Remote Desktop Protocol) hosts. After that, ALPHV attackers often use PowerShell to change Windows Defender security settings across the victim's network and launch the ransomware on multiple hosts using PsExec.

Once the victim systems are accessed, as at Oiltanking, the reconnaissance phase begins, identifying sensitive and valuable data for exfiltration and later encryption, as well as lateral movement in the network. The ransomware is created anew for each victim and includes, for example, the type of encryption (e.g. only parts of large files are encrypted) and embedded credentials of the victim to allow the ransomware to be automatically spread to other servers.

ALPHV – BlackCat works on Windows and Linux

Unlike many other ransomware programs, ALPHV was developed in Rust. This programming language is characterized by high performance and cross-platform functions. Accordingly, both Linux and Windows variants have already been identified.

Further information on ALPHV (BlackCat / Oiltanking) such as detailed information on configurations, processes and indicators of compromise can be found in the corresponding Varonis blog post.

More at Varonis.com

 

About Varonis

Since its founding in 2005, Varonis has taken a different approach than most IT security providers by placing company data stored both locally and in the cloud at the center of its security strategy: sensitive files and e-mails, confidential customer, patient and Employee data, financial data, strategy and product plans and other intellectual property. The Varonis data security platform (DSP) detects insider threats and cyber attacks through the analysis of data, account activities, telemetry and user behavior, prevents or limits data security breaches by locking sensitive, regulated and outdated data and maintains a secure state of the systems through efficient automation .,

 

Matching articles on the topic

Cybersecurity platform with protection for 5G environments

Cybersecurity specialist Trend Micro unveils its platform-based approach to protecting organizations' ever-expanding attack surface, including securing ➡ Read more

Data manipulation, the underestimated danger

Every year, World Backup Day on March 31st serves as a reminder of the importance of up-to-date and easily accessible backups ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

The AI ​​Act and its consequences for data protection

With the AI ​​Act, the first law for AI has been approved and gives manufacturers of AI applications between six months and ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Windows operating systems: Almost two million computers at risk

There are no longer any updates for the Windows 7 and 8 operating systems. This means open security gaps and therefore worthwhile and ➡ Read more

AI on Enterprise Storage fights ransomware in real time

NetApp is one of the first to integrate artificial intelligence (AI) and machine learning (ML) directly into primary storage to combat ransomware ➡ Read more

PR News
, , , , , ,