Executive Summary

  • First Identified: November 2021
  • Threat Type:
    • Ransomware
  • Extortion Method:
    • Double extortion
  • Most Frequently Targeted Industries:
    • Industrials
    • Professional & Commercial Services
    • Consumer Cyclicals
  • Most Frequently Targeted Victim HQ Locations:
    • North America
    • Europe
  • Select Known Associations:
    • FIN8
    • DEV-0237
    • Scattered Spider
    • UNC4466
    • BlackMatter Ransomware
  • Select MITRE ATT&CK Mappings
    • Initial Access
      • Valid accounts, exploiting external remote services, vulnerability exploitation, social engineering (MITRE ATT&CK: T1078, T1133, T1190, T1566)
    • Persistence
      • Valid Accounts, abuse of system processes, Registry Keys, Startup Folder, server software component (MITRE ATT&CK: T1078, T1505, T1543, T1547)
    • Lateral Movement
      • Abuse of remote systems, lateral tool transfer (MITRE ATT&CK: T1021, T1570)

Description of Alphv (BlackCat) Ransomware Ransomware

Alphv (AKA BlackCat, Noberus) was a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS (Ransomware as a Service), where affiliates gain access to victim environments, deploy the Alphv encryptor and then split the ransom payment with the developers. Affiliates can earn 80% of payments up to $1.5 million, 85% of payments up to $3 million, and 90% of payments over $3 million. Due to the use of an affiliate program, Alphv operators gain initial access in a variety of methods, including social engineering, exploiting vulnerabilities, initial access brokers (IABs), and more.

Alphv’s operators were one of the first to successfully use the Rust programming language to compromise victims. Alphv’s use of Rust enables the operators to increase their defense evasion capabilities and avoid code similarities with other ransomware variants. Due to the flexibility of Rust, it likely allows Alphv’s operators to tailor attacks to each specific victim. Alphv is able to target Windows, ESXi, Debian, Ubuntu, and ReadyNAS/Synology environments.

Alphv consistently updated and refined their operations to ensure they remain as effective and successful as possible. One update included an ARM build to encrypt non-standard architectures and a feature that adds new encryption functionality to its Windows build by rebooting into Safe Mode and Safe Mode with networking. A new restart logic was added, along with a simplification of the Linux encryption process.

In August 2022, the group was observed deploying a custom Exmatter data exfiltration tool, which had been previously used with the BlackMatter ransomware. A new variant of Alphv, dubbed Sphynx, was observed that contained new command line arguments and methods for evading detection.

In December 2023, the FBI announced the seizure of the Alphv ransomware data leak site and were able to provide decryption keys for 500 victims of the ransomware group, saving nearly $68 million in ransom demands. Additionally, the FBI seized the domain for Alphv’s data leak site, which displayed a banner stating it was seized. However, within the same day, the group “unseized” the site and posted a new site link. Additionally, the site hosted a message that due to the takedown, the group was removing all rules for their affiliates as far as vertical targeting. The only rule that affiliates reportedly have to follow is to avoid targeting organizations in CIS countries.

In March 2024, the threat actors behind the Alphv ransomware operation shut down their data leak site and rumors began that the group conducted an exit scam. The group posted the same images of the seizure notices on their site; however, security research Fabian Wosar, reported that the “seizure” was fake and that the group was pulling an exit scam. In addition to law enforcement denying any involvement, the source code of the new takedown notice indicated that it was a saved version rather than an original takedown notice.

The exit came just after the group received a $22 million payment to a cryptocurrency wallet, reportedly a ransom demand from Change Healthcare – although the company has not confirmed the payment at the time of writing. On the cybercriminal forum RAMP, a user “Notchy” reported that they were the Alphv affiliate responsible for the Change Healthcare attack and that Alphv operators emptied the wallet and did not pay Notchy their share of the payment.

There is an even chance that the Alphv operators conducted these actions due to fear of another takedown; the exit came two months after the FBI disrupted the operation and shortly after the LockBit operation was disrupted. Additionally, LockBit operators released a statement warning that law enforcement likely had access to other operations, which likely attributed to Alphv’s decision to exit at this time.

Whether the group pulled an exit scam or not, the Alphv operation appears to be ceased. However, it is likely that the affiliates of Alphv will move to other operations over the next 30 days; there is an even chance that Alphv operators will either sell their source code which will likely result in many offshoots emerging – or rebrand their operation and begin conducting ransomware attacks again over the next 12 months.

Date Published
May 3, 2024

By
Blackpoint Cyber

Subscribe to the Blackpoint Blog

Don’t let a lack of awareness leave the organizations you protect vulnerable to sophisticated and elusive attacks. Subscribe now for a weekly roundup of Blackpoint’s empowering articles.

Subscribe Now!