Blackcat/ALPHV Ransomware and What To Do
Versa Networks
April 27, 2022
The FBI, chief investigating agency of the U.S., has triggered an alert concluding that more than 60 organizations worldwide have been a victim of the sophisticated ransomware attack by Blackcat also known as ALPHV/Noberus. The ransomware first came to light when the investigation revealed it to be the first ransomware using the memory-safe programming language RUST, known for its improved performance.
Many of the developers of Blackcat are linked with more popular ransomware groups Darkside and Blackmatter who large groups with the experience to carry out operations with a well-established network to support logistics. The advantage of using the RUST programming language renders a very low detection ratio among Antivirus vendors since most static analysis tools aren’t well adapted to the new programming language.
Like other RaaS groups, the motive behind the development of Blackcat/ALPHV ransomware involves data theft, before executing any ransom activities, by leveraging user credentials to gain access to the target system. Initial analysis by Vedere Labs, reveals two distinct exploitations
- Penetration of internet-exposed SonicWALL firewall
- Lateral movement to encrypt VMware ESXI virtual farm
Blackcat/ALPHV, alongside Conti and LockBit are currently designated by FBI to be most dangerous and active ransomware groups. It is important to watch out for any Indicators of its existence. A few of the IOCs are listed below:
amd – Copy.ps1 |
861738dd15eb7fb50568f0e39a69e107 |
ipscan.ps1 |
9f60dd752e7692a2f5c758de4eab3e6f |
Run1.ps1 |
09bc47d7bc5e40d40d9729cec5e39d73 |
[###].ps1, CME.ps1, [#].ps1, Run1.ps1, mim.ps1, [##].ps1, psexec.ps1, Systems.ps1, System.ps1 |
|
CheckVuln.bat |
f5ef5142f044b94ac5010fd883c09aa7 |
Create-share-RunAsAdmin.bat |
84e3b5fe3863d25bb72e25b10760e861 |
LPE-Exploit-RunAsUser.bat |
9f2309285e8a8471fce7330fcade8619 |
RCE-Exploit-RunAsUser.bat |
6c6c46bdac6713c94debbd454d34efd9 |
est.bat |
e7ee8ea6fb7530d1d904cdb2d9745899 |
runav.bat |
815bb1b0c5f0f35f064c55a1b640fca5 |
http_x64.exe |
6c2874169fdfb30846fe7ffe34635bdb |
spider.dll |
20855475d20d252dda21287264a6d860 |
spider_32.dll |
82db4c04f5dcda3bfcd75357adf98228 |
powershell.dll |
fcf3a6eeb9f836315954dae03459716d |
rpcdump.exe |
91625f7f5d590534949ebe08cc728380 |
mimikatz.exe (SHA1 Hash) |
d241df7b9d2ec0b8194751cd5ce153e27cc40fa4 |
run.exe (SHA1 Hash) |
4831c1b113df21360ef68c450b5fca278d08fae2 |
zakrep_plink.exe (SHA1 Hash) |
fce13da5592e9e120777d82d27e06ed2b44918cf |
beacon.exe (SHA1 Hash) |
3f85f03d33b9fe25bcfac611182da4ab7f06a442 |
win1999.exe (SHA1 Hash) |
37178dfaccbc371a04133d26a55127cf4d4382f8 |
[compromised company].exe (SHA1 Hash) |
1b2a30776df64fbd7299bd588e21573891dcecbe |
test.exe, xxx.exe, Mim.exe, xxxw.exe, Services.exe, plink.exe, crackmapexec.exe, Systems.exe, PsExec64.exe |
|
731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf16180dd44226f60ba5403745ba9d18490eb8ca12dbc9be0a317dd2b692ec041da28 |
89.44.9.243, 142.234.157.246, 45.134.20.66, 185.220.102.253, 37.120.238.58, 152.89.247.207, 198.144.121.93, 89.163.252.230, 45.153.160.140, 23.106.223.97, 139.60.161.161, 146.0.77.15, 94.232.41.155 |
Recommended Mitigations
While it is essential for an organization to look out for IOCs to check if they have been already attacked by ransomware, it is also necessary to, at a minimum, follow the steps below to protect your organization from such sophisticated attacks.
- Follow recommended patching strategy of an organization, which involves reviewing code and issuing the latest security patches for all the network infrastructure devices.
- Check for any known footage of IOCs within the network.
- Monitor networks for any access by an unknown IP address
- Have a dedicated team to review security policies and implement the same.
- Consider network segmentation, if possible, in order to minimize lateral movement of attack vectors.
- Perform regular backups of all the critical infrastructure devices.