“The Federal Bureau of Investigation (FBI) says the Black Cat ransomware gang, also known as ALPHV, has breached the networks of at least 60 organizations worldwide between November 2021 and March 2022. The FBI's Cyber Division revealed this in a TLP:WHITE flash alert released on Wednesday in coordination with the Cybersecurity and Infrastructure Security Agency (DHS/CISA)” (Bleeping Computer, 2022).
The Flash Report includes tactics, techniques, and procedures (TTPs) used by the group as well as various indicators of compromise (IoCs). The Flash report also features details on BlackByte, Ragnar Locker, and Avoslocker, who have all breached US critical infrastructure entities.
BlackCat/ALPHV is unique–it's written in RUST (a programming language known for it’s cross platform capabilities.) The ransomware itself is highly customizable and can encrypt itself with multiple encryption methods.
BlackCat/ALPHV is theorized to be a rebranding of the Darkside/Blackmatter ransomware. Researchers have found links between the developers & money launderers. DarkSide, a prominent 'ransomware as a service' operation launched in August of 2020 and was shut down by law enforcement in May of 2021. It was most known for its attack on the Colonial Pipeline.
After takedown by law enforcement, Darkside rebranded as BlackMatter from July 31st to November 2021. Security researchers found a weakness in the ransomware and were able to create a decryptor, the groups servers were also seized as a result.
“While BlackCat claims they are just a DarkSide/BlackMatter affiliate who launched their own Ransomware-as-a-Service (RaaS) operation, some security researchers are not buying it, especially after finding similarities in features and configuration files” (Bleeping Computer, 2022). In the Wednesday flash alert, the FBI also asked admins who detect BlackCat activity to share any related info with their local FBI Cyber Squad. Helpful information that would help track down and identify the threat actors behind this ransomware group includes "IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file."
It's important to note that the FBI doesn't encourage paying BlackCat ransoms–victims have no guarantee that this will prevent future attacks or leaks of stolen data.
Wondering how you can mitigate this ransomware threat?
Backup Data, System Images, and Configurations, Regularly Test Them, and Keep the Backups Offline
Ensure that backups are regularly tested and that they are not connected to the business network. Many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical–if your network data is encrypted with ransomware, your organization can restore systems.
Update and Patch Systems Promptly
This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test Your Incident Response Plan
The best way to see the gaps in your plans? Test them! Run through some core questions and use those to build an incident response plan. These questions can include: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work
Use a 3rd party pen-tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive & sophisticated and will find the equivalent of unlocked doors.
Segment Your Networks
There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and your operations are separated. Carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.
Train Your Employees
Email is still the most vulnerable attack vector for organizations. You should be training your employees on how to spot and avoid phishing emails. Multi Factor Authentication (MFA) can help prevent malicious access to sensitive services and data.