ALPHV/BlackCat Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/alphv-blackcat/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 05 Mar 2024 17:55:42 +0000 en-US hourly 1 https://wordpress.org/?v=82820 200474804 ALPHV Ransomware Shut Down, Exit Scam Supposed https://gridinsoft.com/blogs/alphv-ransomware-shutdown-scam/ https://gridinsoft.com/blogs/alphv-ransomware-shutdown-scam/#respond Tue, 05 Mar 2024 17:55:42 +0000 https://gridinsoft.com/blogs/?p=20138 On March 5, 2024, ALPHV/BlackCat ransomware claimed its shutdown, “due to the FBI takeover”. Despite the actions from law enforcement really happening to this gang before, there are quite a few signs of this being a false claim. Analysts suppose that ALPHV admins are just trying to pull an exit scam. ALPHV/BlackCat Ransomware Shuts Down… Continue reading ALPHV Ransomware Shut Down, Exit Scam Supposed

The post ALPHV Ransomware Shut Down, Exit Scam Supposed appeared first on Gridinsoft Blog.

]]>
On March 5, 2024, ALPHV/BlackCat ransomware claimed its shutdown, “due to the FBI takeover”. Despite the actions from law enforcement really happening to this gang before, there are quite a few signs of this being a false claim. Analysts suppose that ALPHV admins are just trying to pull an exit scam.

ALPHV/BlackCat Ransomware Shuts Down

The story of ALPHV self-shutdown in fact unfolds when the leaks blog of the gang went offline. While this is not a rare occurrence for Darknet pages, rumors regarding group admins scamming their affiliates for $20 million is – a highly unpleasant stain on the image.

RAMP forum BlackCat scam

On Monday, March 4, 2024, negotiation sites of the gang went offline, meaning this is not just a coincidence. Lastly, all the pages associated with the cybercrime group were defaced with the FBI banner. Though, the latter appears to be just a save from their real takedown, that is now added using a Python server.

ALPHV banner FBI

And well, why can’t this be a real FBI takedown? Especially considering that feds already did it earlier – this ended up in a rather laughable manner. It is not an unusual practice for law enforcement to pay another visit, especially when we talk about a renowned group of thugs like ALPHV is. But researchers say that NCA, one of the key anti-cybercrime authorities in Europe, deny their responsibility for the recent events around BlackCat.

Two other signs potentially indicate that ALPHV is going out of business. Their admin offers ransomware source code for sale for a hefty $5 million, and the group’s Tox chat has its status changed to “GG”. And well, both of them do not necessarily mean a shutdown, but this is a rather unusual behavior for this ransomware gang. This looks especially fishy considering slug-in-salt excuses coming from their administrators.

Is it the end of BlackCat?

Yes, BlackCat is most likely done at this point. Regardless of whose story is true, it will be rather hard to explain the comeback. Though, the FBI story is the least likely to be true, meaning that threat actors are not detained. Which eventually gives ALPHV the chance for return, just in a different form.

It is a pretty common thing for ransomware gangs to morph into a different group after the dissemination of the original one. Either we will see the breakup of this large group on a selection of smaller ones, or its reborn with a different name, but carbon copied essence. This, or the members will find themselves in a different ransomware group – experienced employees are of a high value in the cybercrime world, too.

What is ALPHV/BlackCat?

BlackCat a.k.a ALPHV is a ransomware group that appeared back in 2021. It primarily targets corporations, encrypting and stealing data from both Linux and Windows systems. Vast networks of affiliates, along with a rather daring selection of targets quickly propelled this ransomware to the top of the charts.

Targeting of large companies, along with asking for large sums of money inevitably made ALPHV a wanted target for law enforcement. Back in December 2023, a significant portion of its Darknet sites suffered an attack from the FBI, which was nonetheless reverted. And since then, the cybercrime group did not show any sign of problems – until these days.

ALPHV Ransomware Shut Down, Exit Scam Supposed

The post ALPHV Ransomware Shut Down, Exit Scam Supposed appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/alphv-ransomware-shutdown-scam/feed/ 0 20138
ALPHV Site Taken Down by the FBI https://gridinsoft.com/blogs/alphv-ransomware-site-taken-fbi/ https://gridinsoft.com/blogs/alphv-ransomware-site-taken-fbi/#respond Tue, 19 Dec 2023 14:16:28 +0000 https://gridinsoft.com/blogs/?p=18360 On December 19, 2023, one of the ALPHV/BlackCat ransomware sites was taken down by the FBI. The typical FBI banner now decorates its main, while other sites of the cybercrime gang are still online. This event is possibly related to the 5-day downtime of all the gang’s Darknet infrastructure a week ago. ALPHV/BlackCat Ransomware Site… Continue reading ALPHV Site Taken Down by the FBI

The post ALPHV Site Taken Down by the FBI appeared first on Gridinsoft Blog.

]]>
On December 19, 2023, one of the ALPHV/BlackCat ransomware sites was taken down by the FBI. The typical FBI banner now decorates its main, while other sites of the cybercrime gang are still online. This event is possibly related to the 5-day downtime of all the gang’s Darknet infrastructure a week ago.

ALPHV/BlackCat Ransomware Site Seized

At around 13:00 GMT, one of the BlackCat’s onionsites began returning the FBI banner, which states about the site being seized by law enforcement. But at the same time, other Darknet infrastructure is up and functioning, meaning that the seizure is likely local.

ALPHV site FBI banner
FBI banner on one of the ALPHV/BlackCat ransomware sites

All this becomes more interesting when we remember the events which happened around ALPHV’s Darknet sites a week ago. Both the leak site and negotiation pages were downjust unresponsive, without any banners. At that point, a lot of cybersecurity newsletter started supposing this was a sign of the hackers being paid a visit by law enforcement. However, as the sites were back online in 5 days, it became clear that all these suppositions were false.

BlackCat main page Darknet
Another Darknet leak site of the ALPHV/BlackCat group – still online

Or were they? Such a consequent website seizure, along with the ALPHV silence regarding the reasons for the previous downtime, make a lot of room for reflections. Most probably, there was something going on related to the FBI interruption, but hackers managed to escape and get the network infrastructure back up. This looks realistic since all the records regarding the previous victims are gone, as you can see above.

Before, we’ve seen the situation when the hackers’ sites were back up after the law enforcement interruption. Back in March 2023, an infamous BreachForums was taken down by the FBI after its admin was detained. Shortly after, another admin restarted the forum only to notify the users about what’s happening. This did not stop the inevitable – BF was taken down until the “reborn” led by the ShinyHackers.

FBI Seized ALPHV Darknet Site – The Trend Continuation?

All the hypotheses and comparisons aside, the network infrastructure takedowns is a new trend led by the FBI. QakBot infrastructure ruination, IPStorm botnet disruption, Trigona ransomware servers wiping – this is only a part of past and ongoing events of the same intention. And ALPHV sites seizure will accomplish this list beautifully.

Will that entirely stop the ransomware gang? Of course not. For large players, like the ALPHV is, recovery is just a matter of time, they have enough money to sustain an idle period. QakBot actually proves this by being back in business with the email spam campaign started on December 11, 2023. Nonetheless, for smaller cybercrime gangs, such a disruption may be a serious reason to stop the activity.

As there are currently no statements from either the FBI and ALPHV/BlackCat hackers, the story will unfold in new details pretty soon. I will update this post as new info will pop up – be sure to come back and check out.

UPD 12/19/23 14:00 GMT

Two more piece of information: official claims from ALPHV and the FBI’s press release, published on their official site. Let’s review them one by one.

In a chat with VX-Underground, hackers assure that nothing happened to their actively used web assets. The FBI took down “the blog they deleted a long time ago”, and the page they use now is on a different address. Though, as far as I remember, this “old” site was used as a mirror for some time. Even if it is true, there could be some remnants of info useful to the law enforcement.

VX-Underground chat
Chat of VX-Underground researchers with ALPHV/BlackCat ransomware

What contrasts with hackers’ claims is the FBI press release, which states not only about the site takedown. Law enforcement offers the decryption tool to ALPHV victims from any country. Allegedly, they have developed the solution some time ago, and were offering it to all the victims through their and partners’ offices. Feds also say about having access to the group’s internal network. That is probably the reason for today’s takedown.

FBI claims

UPD 12/19/23 18:00 GMT

The seized website appears to be.. unseized. At least this is what it says now – with the BlackCat logo on top and a text note below. It is written in Russian, and partially repeats what they said to VX-Underground in the chat. But then some interesting things come into view:

Domain unseized

Yes, as you can read above, to avenge the site seizure, ALPHV removes all the attack limitations. These are what is known as “ethical hacking rules” – no attacks on critical infrastructure, like hospitals, nuclear stations, and others. Not all gangs follow them, though most of the large and long-running ones do. But now, ALPHV appears to be out of this “club”, and will start attacking pretty much whatever.

After all, all I have to say is that some sort of chaos happens. How did the FBI get access to the site? How did ALPHV regain access? What’s the matter with decryption keys? Probably, we’ll see the explanation to this pretty soon.

UPD 12/19/23 20:00 GMT

The FBI banner is back. This are apparently historical events. Should we wait for the round 2 with the current leak site?

The post ALPHV Site Taken Down by the FBI appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/alphv-ransomware-site-taken-fbi/feed/ 0 18360
Tipalti, Roblox and Twitch Hacked by ALPHV/BlackCat https://gridinsoft.com/blogs/tipalti-roblox-twitch-hacked/ https://gridinsoft.com/blogs/tipalti-roblox-twitch-hacked/#respond Mon, 04 Dec 2023 15:53:58 +0000 https://gridinsoft.com/blogs/?p=18132 On December 3, 2023, ALPHV ransomware gang claimed hacking into a fintech software provider Tipalti, Roblox and Twitch, its clients. The approach, however, appears to be unusual, as the gang created a listing that says “but we’ll extort Roblox and Twitch, two of their affected clients, individually”. Criminals promise to publish updated posts on Monday… Continue reading Tipalti, Roblox and Twitch Hacked by ALPHV/BlackCat

The post Tipalti, Roblox and Twitch Hacked by ALPHV/BlackCat appeared first on Gridinsoft Blog.

]]>
On December 3, 2023, ALPHV ransomware gang claimed hacking into a fintech software provider Tipalti, Roblox and Twitch, its clients. The approach, however, appears to be unusual, as the gang created a listing that says “but we’ll extort Roblox and Twitch, two of their affected clients, individually”. Criminals promise to publish updated posts on Monday morning, which will maximize the stock price impact.

Tipalti Hacked, Roblox and Twitch are Collateral

On Saturday, December 3, 2023, ALPHV came out with quite an unusual claim. Hacker group talked about hacking into the network of Tipalti, a payment automation and accounting software provider, back in early September 2023. The text below is the quote taken from their Darknet leak site:

We have remained present, undetected, in multiple Tipali systems since September 8th 2023. Over 265GB+ of confidential business data belonging to the company, as well as its employees and clients has been exfiltrated. We remain committed to this exfiltration operation, so we plan to reach out to both these companies once the market opens on Monday…
Tipalti listing Darknet
Listing of the Tipalti and other companies on the ALPHV’s Darknet site

Thing is – the company itself did not receive any ransom note yet. The typical practice in cyberattacks is notifying the victim via ransom notes, and only then publishing info about the hack. Though not this time – as hackers say, they doubt the co will contact them back due to some specific details they discovered while being active in the network.

…given that Tipalti’s insurance policy does not cover cyber extortion and considering the behavior of the executive team in general, observed through internal communications, we believe the likelihood of them reaching out on our terms is unlikely, regardless of the sensitivity of data in question…Cybercriminals' explanation to unusual hack flow

Another detail the hackers uncover is the involvement of an insider. Well, this is not a rare occurrence, but threat actors rarely speak openly about this. And in the context of several companies taken as collateral, this sounds more like an attempt to ruin the company’s image. That especially contrasts with the official response of the company, given to the Israeli media Calcalist.

Claim to Calcalist
Tipalti representative’s claims regarding the hack

Roblox and Twitch Fall Victim to Tipalti Hack

The worst part about this hack is that hackers managed to compromise two client companies, namely Roblox and Twitch. Actually, Roblox is not the first time a victim of a ransom hack – the same ALPHV gang hacked them in 2022. Twitch though is mentioned only in the listing title, without any further references in the text. This may be the sign of less than significant amount of data the hackers managed to leak.

At the same time, some serious threats faced towards Roblox appear in the text. Hackers say they will publish the data of more victims (supposedly other Tipalti clients) in the months to come. To avoid this from happening, both mentioned companies should pay the ransom. They either do not specify any sums and, what is more important, types of data leaked from the game developer.

Is it that dangerous?

Despite how threatening all the situation looks, I’d take it with a grain of salt. Hackers often exaggerate the total damage, especially when it comes to collateral damage. Claims about Tipalti’s clients being hacked are most likely just the attempts to scare all the involved parties and make them pay.

What is out of doubt though is hackers’ access to some of the data. In particular, they are not likely to lie about their access to the major amount of Tipalti’s data. For other companies though it is most likely some data about financial transactions – things they actually delegated to Tipalti. However, this is still not great, as such info leakage may be the reason for companies to switch to a different service.

To sum up, despite touching a whole array of companies, the hack brings the most harm to Tipalti. And mostly reputational: even if not a lot of clients’ info ended up in hackers’ hands, the fact of the leak persists. The obvious conclusion is to avoid deep integrations with such unreliable companies, just to minimize the possible damage in the case of another cyberattack.

UPD 12/05/2023

The original listing you could have seen above was changed for a more classic one, that claims Tipalti hack. However, threat actors still use the text note as a place for a post-scriptum note. Criminals disprove Roblox’ claims regarding absence of any signs of network compromise saying that they will contact them later.

ALPHV ransomware Tipalti listing
New Tipalti listing on the ALPHV ransomware Darknet site

At the moment, ALPHV hackers claim to be contacting the first group of Tipalti clients who got their info leaked during the hack. Though they do not contact the company itself, saying they are going to reach out to the clients first. Another interesting detail unveiled after the re-listing is the fact that no ransomware was used – they just leaked 265 gigabytes of data.

Tipalti, Roblox and Twitch Hacked by ALPHV/BlackCat

The post Tipalti, Roblox and Twitch Hacked by ALPHV/BlackCat appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/tipalti-roblox-twitch-hacked/feed/ 0 18132
Henry Schein was hacked twice by BlackCat ransomware https://gridinsoft.com/blogs/henry-schein-blackcat-ransomware/ https://gridinsoft.com/blogs/henry-schein-blackcat-ransomware/#respond Wed, 29 Nov 2023 14:45:07 +0000 https://gridinsoft.com/blogs/?p=17996 Henry Schein Global, a healthcare solutions provider, faced a persistent cybersecurity nightmare. The BlackCat/ALPHV ransomware gang is launching a second wave of attacks, claiming to have re-encrypted files after stalled negotiations. The company, headquartered in Melville, New York, is restoring systems. It happened after the cybercrime group took credit for an initial breach on October… Continue reading Henry Schein was hacked twice by BlackCat ransomware

The post Henry Schein was hacked twice by BlackCat ransomware appeared first on Gridinsoft Blog.

]]>
Henry Schein Global, a healthcare solutions provider, faced a persistent cybersecurity nightmare. The BlackCat/ALPHV ransomware gang is launching a second wave of attacks, claiming to have re-encrypted files after stalled negotiations. The company, headquartered in Melville, New York, is restoring systems. It happened after the cybercrime group took credit for an initial breach on October 15, disrupting manufacturing and distribution operations

What is BlackCat Ransomware Gang?

The BlackCat ransomware gang, emerging in November 2021, is believed to be a rebrand of the notorious DarkSide/BlackMatter group. The gang gained global attention after targeting Colonial Pipeline, which led to fuel supply disruptions across the entire US East Coast. The FBI has linked them to over 60 breaches globally between November 2021 and March 2022, indicating a pattern of sophisticated cybercriminal activity.

Henry Schein Attacked by ALPHV, Again

On October 15, Henry Schein reported a cyberattack that impacted its manufacturing and distribution businesses, causing operational disruptions. Two weeks later, the BlackCat/ALPHV ransomware group claimed responsibility, boasting about encrypting files and stealing a massive 35 terabytes of sensitive data, potentially including personal information, bank account details, and payment card numbers.

notification from Henry Schein
The notification from Henry Schein about the ransomware attack.

The situation escalated in early November when the cybercriminals declared that negotiations had stalled. In response, they threatened to re-encrypt files, a move confirmed by Henry Schein’s subsequent system restoration updates. The company informed customers on November 22 that its applications, including the e-commerce platform, were rendered unavailable due to actions by the threat actor.

BlackCat ransomware
Statement
on ALHPV/BlackCat leak site.

Despite anticipating short-term disruptions, the latest update on November 26 assured customers that systems would soon be fully restored. As of the latest information, Henry Schein is no longer listed on the BlackCat leak website, hinting at a potential resumption of negotiations or even a ransom payment.

How to resist ransomware?

Organizations can enhance their resilience against extortionists through a multifaceted approach. First and foremost, robust cybersecurity measures are imperative. Regularly updating and patching systems can mitigate vulnerabilities, making it harder for extortionists to exploit weaknesses. Implementing strong access controls and regularly reviewing user privileges adds an extra layer of defense. Regular data backups are essential to ensure that organizations can quickly recover from ransomware attacks without succumbing to extortion demands. A well-defined incident response plan, including communication protocols and coordination with law enforcement, prepares organizations to swiftly and effectively handle extortion attempts.

Lastly, collaboration within the industry and sharing threat intelligence can strengthen collective defenses against evolving extortion tactics. By staying informed and implementing proactive measures, organizations can significantly reduce the likelihood of falling victim to extortionists.

The post Henry Schein was hacked twice by BlackCat ransomware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/henry-schein-blackcat-ransomware/feed/ 0 17996
ALPHV/BlackCat Ransomware Reports MeridianLink Hack To SEC https://gridinsoft.com/blogs/alphv-blackcat-reports-to-sec/ https://gridinsoft.com/blogs/alphv-blackcat-reports-to-sec/#respond Fri, 17 Nov 2023 18:20:38 +0000 https://gridinsoft.com/blogs/?p=17758 Ransomware Gang ALPHV Takes Unprecedented Step: Files SEC Complaint Over Alleged Victim’s Undisclosed Breach. And no, this is not a joke from ChatGPT. Hackers from BlackCat/ALPHV group found yet another way to make the victim pay the ransom. ALPHV Files SEC Compliant The ALPHV/BlackCat filed a complaint with the U.S. Securities and Exchange Commission (SEC)… Continue reading ALPHV/BlackCat Ransomware Reports MeridianLink Hack To SEC

The post ALPHV/BlackCat Ransomware Reports MeridianLink Hack To SEC appeared first on Gridinsoft Blog.

]]>
Ransomware Gang ALPHV Takes Unprecedented Step: Files SEC Complaint Over Alleged Victim’s Undisclosed Breach. And no, this is not a joke from ChatGPT. Hackers from BlackCat/ALPHV group found yet another way to make the victim pay the ransom.

ALPHV Files SEC Compliant

The ALPHV/BlackCat filed a complaint with the U.S. Securities and Exchange Commission (SEC) against MeridianLink. Just so you know, ALPHV is a ransomware group, and MeridianLink is their victim. The complaint alleges that the victim failed to comply with the four-day rule for disclosing a cyberattack, raising the stakes in the ongoing battle between hackers and targeted organizations.

SEC form screenshot
TA reported the SEC

The threat actor previously listed MeridianLink, a software company, on their data leak platform. An ultimatum accompanied it – the alleged stolen data would be leaked unless a ransom was paid within 24 hours. MeridianLink, a publicly traded company specializing in digital solutions for financial institutions, banks, credit unions, and mortgage lenders, was thrust into the spotlight of a high-stakes cyber confrontation.

SEC Rules and Cybersecurity Reporting

In response to an increased number of security incidents in U.S. organizations, the SEC recently introduced new rules. It requires publicly traded companies to promptly report cyberattacks with material impacts on investment decisions. The reporting deadline is set at four business days after determining the incident’s materiality. According to reports, the ALPHV ransomware gang claimed to have breached MeridianLink’s network on November 7, emphasizing that they stole company data without encrypting systems.

However, it allegedly received no response from MeridianLink regarding negotiation for the stolen data, so the ransomware group decided to surprise everyone. They filed a complaint with the SEC and published a screenshot of the complaint submission on the SEC’s official platform. The complaint accuses MeridianLink of failing to disclose a cybersecurity incident involving “customer data and operational information”. However, they did not take into account one little thing. These rules are slated to take effect on December 15, 2023, as explained by Reuters in October.

The automated SEC receipt for the complaint submission screenshot
The automated SEC receipt for the complaint submission

Will Ransomware Groups Report to the SEC in the Future?

Ransomware and extortion groups have previously threatened to report breaches to the SEC. However, the MeridianLink hack marks a public confirmation that such a report has been filed now. The course of actions raises questions about the evolving dynamics between hackers and victims as the ALPHV ransomware group desperately moves to utilize regulatory channels to exert pressure on their targeted organization. The incident also underscores Russian hackers’ ongoing challenges with profiting from victims through heightened regulatory scrutiny.

But the question persists – will this tactic be used more and more often in future? Well, the answer is yes and no at the same time. Thing is, the vast majority of ransomware victims are small companies, too small to go public by the rules set by the SEC. Thus, 70-80% of the ransomware attacks will not have such powerful pressure points. Other ones may still be avoided – there are enough bureaucratic tricks present in the document that backs the new SEC demand.

ALPHV/BlackCat Ransomware Reports MeridianLink Hack To SEC

The post ALPHV/BlackCat Ransomware Reports MeridianLink Hack To SEC appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/alphv-blackcat-reports-to-sec/feed/ 0 17758
FIN8 Updated Sardonic Backdoor to Deliver Noberus Ransomware https://gridinsoft.com/blogs/fin8-sardonic-backdoor-noberus-ransomware/ https://gridinsoft.com/blogs/fin8-sardonic-backdoor-noberus-ransomware/#respond Fri, 21 Jul 2023 11:21:46 +0000 https://gridinsoft.com/blogs/?p=16164 FIN8, an infamous group of cybercriminals, has updated its backdoor malware to avoid being detected. They made improvements and prepared to release a new type of crimeware called Noberus. This threat actor has returned after inactivity, using a modified version of their Sardonic backdoor to distribute the Noberus ransomware. This is a part of their… Continue reading FIN8 Updated Sardonic Backdoor to Deliver Noberus Ransomware

The post FIN8 Updated Sardonic Backdoor to Deliver Noberus Ransomware appeared first on Gridinsoft Blog.

]]>
FIN8, an infamous group of cybercriminals, has updated its backdoor malware to avoid being detected. They made improvements and prepared to release a new type of crimeware called Noberus. This threat actor has returned after inactivity, using a modified version of their Sardonic backdoor to distribute the Noberus ransomware. This is a part of their typical approach of constantly changing and improving their malware arsenal.

Who are FIN8 a.k.a “Syssphinx”?

There is a financially motivated cybercrime group known as FIN8 or “Syssphinx” with a reputation for targeting various organizations without discrimination. They have been known to target companies in industries such as chemicals, entertainment, finance, hospitality, insurance, retail, and technology.

The malicious group FIN8 uses spear phishing and social engineering tactics to target victims while employing living-off-the-land techniques to conceal their activities. Recently, researchers discovered a new version of the Sardonic backdoor, initially identified by Bitdefender in 2021. Although the latest version is more extensive and has some differences, it may not necessarily be an improvement overall. The researchers noted that some of the changes seem unnatural and could be an attempt by the threat actors to avoid detection by disguising similarities with previous versions.

Updated Sardonic Backdoor Malware

Some hackers might update their malware after it has been discovered. Same happened with Sardonic in 2021, to bypass cybersecurity measures designed to detect it. The researchers found that the new Sardonic backdoor is very similar to the previous one. But it has many code changes that give it a unique look. However, these changes were not arbitrary. The updated version has added support for more plugin formats, which provides attackers with more options and enhances their abilities.

Experts have analyzed a new Sardonic backdoor variant written in C instead of C++, which was used for the previous variant. This backdoor was found to be embedded indirectly into a PowerShell script that is used to infect target machines. Unlike the last variant, this new variant doesn’t use an intermediate downloader shellcode to download and execute the backdoor.

This script in PowerShell decodes a binary file for .NET Loader and then loads it into the current process. The loader will then decrypt and execute both the injector and the backdoor.

Sardonic Backdoor Malware

According to the researchers, the backdoor allows attackers to have interactive control over the infected system through processes such as cmd.exe. They analyzed a sample that showed the backdoor can support up to 10 simultaneous sessions. Additionally, the backdoor has three different formats to expand its capabilities: PE DLL plugins, shellcode, and shellcode, with a unique approach for passing arguments.

A sardonic backdoor can execute multiple commands, including dropping files from the attacker, sending the contents to the attacker, loading a DLL plugin provided by the attacker, and running the shell code supplied.

FIN8 and Ransomware Operations

Although FIN8 was known for focusing on point-of-sale (POS) attacks, in recent years, the group has been utilizing various ransomware threats as part of its attacks. Operations with ransomware are not something new for that group. The only difference here is the name of the final payload – Noberus. Noberus is, in fact, a well-known ransomware. It is a strain used generally by ALPHV/BlackCat (a.k.a FIN7) extortion gang.

FIN8 and his Ransomware Operations

Noberus has several features that enhance its superiority over rival ransomware. These include providing an entrance through a unique onion domain architecturally excluding all possible connections with forums in the affiliate program. This makes it impossible for attackers to reveal the actual IP address of the server even if they obtain a full-fledged command line shell and encrypted negotiation chats that the intended victim can access.

The ransomware had two encryption algorithms available, ChaCha20 and AES, and four encryption modes – Full, Fast, DotPattern, and SmartPattern. The Full mode is the most secure but also the slowest. SmartPattern encrypts a certain amount of data in percentage increments. It defaults to encrypting 10 megabytes of every 10 percent of the file beginning from the header, making it the ideal mode for attackers regarding speed and cryptographic strength.

It’s just the beginning

The group FIN8 is constantly enhancing its abilities and infrastructure for delivering malware. They frequently refine their techniques to avoid being detected. Their recent shift from point-of-sale attacks to ransomware shows their commitment to maximizing profits from their victims. The Researchers share the tools and tactics this financially-focused threat actor uses, emphasizing their ongoing danger to organizations.

How to defend against organized cybercrime?

To protect against the ever-changing malware of FIN8, we suggest implementing a defense-in-depth strategy that involves using multiple layers of detection and protection tools and incorporating multi-factor authentication (MFA) and access controls.

Organizations can consider implementing one-time credentials for administrative work to prevent theft and misuse of admin credentials. It’s also a good idea to create usage profiles for admin tools, as attackers often use them to move undetected through a network.

FIN8 Updated Sardonic Backdoor to Deliver Noberus Ransomware

The post FIN8 Updated Sardonic Backdoor to Deliver Noberus Ransomware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fin8-sardonic-backdoor-noberus-ransomware/feed/ 0 16164
Barts NHS Trust Hacked by BlackCat/ALPHV Ransomware Group https://gridinsoft.com/blogs/blackcat-alphv-barts-nhs-trust/ https://gridinsoft.com/blogs/blackcat-alphv-barts-nhs-trust/#respond Mon, 10 Jul 2023 10:37:01 +0000 https://gridinsoft.com/blogs/?p=15798 A Russian cybercriminal gang BlackCat claims to have hacked into one of Britain’s most prominent hospital groups and threatens to release much of its sensitive data. Barts NHS Trust Attacked by ALPHV/BlackCat On June 30, Russian extortionist group BlackCat, aka ALPHV, claimed to have hacked into Barts Health NHS Trust, one of England’s most prominent… Continue reading Barts NHS Trust Hacked by BlackCat/ALPHV Ransomware Group

The post Barts NHS Trust Hacked by BlackCat/ALPHV Ransomware Group appeared first on Gridinsoft Blog.

]]>
A Russian cybercriminal gang BlackCat claims to have hacked into one of Britain’s most prominent hospital groups and threatens to release much of its sensitive data.

Barts NHS Trust Attacked by ALPHV/BlackCat

On June 30, Russian extortionist group BlackCat, aka ALPHV, claimed to have hacked into Barts Health NHS Trust, one of England’s most prominent hospital trusts. The group claims they stole seven terabytes of sensitive data, which could reveal data on 2.5 million patients. These include passport information, credit card information, and financial statements. In addition, BlackCat threatened to release citizens’ confidential data if Barts Trust did not contact the gang within three days about the cyberattack and data theft. Although the group disclosed some stolen information, including employees’ passports and licenses, the attackers did not mention the encryption key. This suggests that they probably did not use a ransomware program.

BlackCat ransomware Darknet screenshot
BlackCat ransomware gang publishes leaked data

What is Barts NHS Trust?

Barts NHS Trust is the largest NHS Trusts in the UK. It operates five hospitals in London, serving over 2.6 million people in a diverse area. They use a clinical information system to improve efficiency and patient care. The system has helped with record storage, appointment booking, and patient communication. In 2016, BARTS implemented an infection control reporting system to reduce the risk of infection transmission. They also use SNOMED CT to identify smoking patients and refer them to a cessation program. So as you can see, such an organization is no joke, and attackers are both brave and confident. Or should I say “folly”?

Barts Health NHS Trust Home page screenshot
Barts NHS Trust provides a variety of health care services

A word or two about BlackCat Ransomware

As mentioned, BlackCat (ALPHV or Noberus) is a highly advanced and dangerous ransomware first detected in November 2021. While it has been a significant threat in 2021 and 2022, its impact has decreased. This is evidenced by a 28 percent drop in recorded infections in late 2022. BlackCat is the first considerable malware written in Rust, a programming language gaining popularity due to its high performance and memory safety. An additional feature of BlackCat is its ability to compromise both Windows- and Linux-based operating systems. The ransomware-as-a-service (RaaS) is operated by a group of Russian-speaking cybercriminals called ALPHV.

BlackCat’s campaigns often use a triple-extortion tactic, demanding ransom for the decryption of infected files, not publishing stolen data, and not launching denial of service (DoS) attacks. BlackCat has targeted approximately 200 enterprise organizations from November 2021 to September 2022. They focus on financial, manufacturing, legal, and professional services companies. However, it has also affected other industries. BlackCat are more active in 2023 than in 2022. They have already compromised 209 victims in the first half of 2023, slightly less than the 215 victims they claimed in 2022.

Alphv leak site main page
The BlackCat group regularly updates their website with leaks

Interestingly, many of these victims are within the healthcare industry, with 21 victims in 2023 compared to only 8 in 2022. While BlackCat/ALPHV has more healthcare victims than Cl0p or Lockbit 3.0, all ransomware attacks involve two distinct elements: an operator and an affiliate. Operators maintain the ransomware platform, while affiliates use it to attack suitable targets and split the profits with the operators. Therefore, the focus on healthcare victims cannot be attributed solely to the RaaS operators. Additionally, ransomware actors are opportunistic and will exploit victims if deemed profitable.

The post Barts NHS Trust Hacked by BlackCat/ALPHV Ransomware Group appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blackcat-alphv-barts-nhs-trust/feed/ 0 15798
BlackCat Ransomware Employs Malvertising In Targeted Attacks https://gridinsoft.com/blogs/blackcat-ransomware-malvertising-targeted-attacks/ https://gridinsoft.com/blogs/blackcat-ransomware-malvertising-targeted-attacks/#respond Mon, 03 Jul 2023 19:57:30 +0000 https://gridinsoft.com/blogs/?p=15639 Recently malicious actors started using malvertising to spread BlackCat ransomware. They use cloned webpages of popular freeware applications, particularly WinSCP utility. Such downloads result in an infection chain, that consists of a dropper, a backdoor, and, finally, the ransomware. Operators Distributing Ransomware Disguised as WinSCP Researchers acknowledged that BlackCat operators were using malicious ads to… Continue reading BlackCat Ransomware Employs Malvertising In Targeted Attacks

The post BlackCat Ransomware Employs Malvertising In Targeted Attacks appeared first on Gridinsoft Blog.

]]>
Recently malicious actors started using malvertising to spread BlackCat ransomware. They use cloned webpages of popular freeware applications, particularly WinSCP utility. Such downloads result in an infection chain, that consists of a dropper, a backdoor, and, finally, the ransomware.

Operators Distributing Ransomware Disguised as WinSCP

Researchers acknowledged that BlackCat operators were using malicious ads to distribute fraudulent WinSCP file transfer application installers. In this case, the distribution involved a Web page for the well-known WinSCP application, an open-source Windows file transfer application. In a nutshell, attackers use SEO poisoning to spread malware through online advertisements. They hijack a select set of keywords to display phishing site ads on Bing and Google search results pages. These ads redirect unsuspecting users to a phishing copy of the original web page.

Screenshot of fake web page
Fake web page

Thus, scammers try to make users download the malware masked as a legitimate app. However, the victim gets a backdoor containing a Cobalt Strike beacon instead of a legitimate WinSCP app. The backdoor, in turn, connects to a remote server for subsequent operations. It also uses legitimate tools like AdFind to facilitate network discovery. Attackers use the access granted by Cobalt Strike to download programs to perform reconnaissance, tallying, lateral movement, antivirus software circumvention, and data exfiltration. That tactic is aimed at infecting corporate users – a pretty unique approach when it comes to ransomware spreading methods.

According to the researchers, the attackers managed to steal top-level administrator privileges, which allowed them to perform post-exploitation actions. In addition, they tried to set up persistence with remote management tools such as AnyDesk and gain access to backup servers. Unfortunately, this is not an isolated case but rather a trend. We’ve already told you how attackers use the Google Ads platform to spread malware.

What Is BlackCat Ransomware?

BlackCat is a dangerous malware strain that emerged in November 2021. It is operated by a Russian-speaking cybercrime group called ALPHV. It is the first significant malware written in the Rust programming language and can attack Windows and Linux systems. BlackCat uses a triple-extortion tactic in its ransomware campaigns, targeting various industries, including finance, manufacturing, and legal services. It has compromised around 200 enterprise organizations between November 2021 and September 2022 and is related to other ransomware variants such as BlackMatter and DarkSide.

BlackCat Ransom Note screenshot
BlackCat Ransom Note

BlackCat gang is known for being pretty radical when it comes to data leaks. Once the company they’ve attacked refuses to pay, hackers open access to all the extracted data. And contrary to other ransomware gangs, ALPHV/BlackCat does this on the clear web website. In the past year, they exposed a huge number of people by publishing data extracted from Allison Resort and University of Pisa.

General recommendations

As for organization-level protection, there’s a whole set of recommendations that organizations that care about security for themselves and their customers take for granted. A detailed understanding of attack scenarios enables organizations to identify vulnerabilities that can lead to compromise and critical damage and take the necessary steps to prevent them. However, what about individual users? Here we recommend following these simple but effective tips:

  • Be extremely careful when searching for and downloading necessary programs from the Internet.
  • Do not click on advertising links on the search page.
  • Use ad blockers
  • Use a trusted antimalware program

Following these rules will minimize the chances of compromising personal computers and workstations, or corporate devices.

BlackCat Ransomware Employs Malvertising In Targeted Attacks

The post BlackCat Ransomware Employs Malvertising In Targeted Attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blackcat-ransomware-malvertising-targeted-attacks/feed/ 0 15639
Top famous Ransomware hack groups in 2022 https://gridinsoft.com/blogs/top-famous-ransomware-groups-2022/ https://gridinsoft.com/blogs/top-famous-ransomware-groups-2022/#respond Wed, 28 Dec 2022 18:14:47 +0000 https://gridinsoft.com/blogs/?p=12842 Let’s have a look at the bad boys of this year. During 2022, the factions have been forming and forming again, but one thing is sure – they continue to exist. Despite all efforts, the problem of extortion programs continues to grow: a recent report by IS-Zscaler recorded an 80% increase in attacks by extortion… Continue reading Top famous Ransomware hack groups in 2022

The post Top famous Ransomware hack groups in 2022 appeared first on Gridinsoft Blog.

]]>
Let’s have a look at the bad boys of this year. During 2022, the factions have been forming and forming again, but one thing is sure – they continue to exist. Despite all efforts, the problem of extortion programs continues to grow: a recent report by IS-Zscaler recorded an 80% increase in attacks by extortion programs compared to last year. Major trends included double extortion, supply chain attacks, extortion as a service (Ransomware-as-a-Service, RaaS) , group rebranding, and geopolitically motivated attacks.

This year, for example, a well-known group of ransomware called Conti broke up, but its members only moved forward, forming new gangs. Which groups should we beware of in 2023? We will consider some of the most important players.

LockBit

LockBit has been in existence since 2019 and operates under the RaaS model. According to GuidePoint Security, the largest group, which accounts for more than 4 out of 10 victims of ransomware programs. This group is believed to be linked to Russia, however, its creators deny any ties and claim their multi-nationality. LockBit 3.0 update was released in June and has already spread to 41 countries, according to Intel 471. The main goals are professional services, consulting and production, consumer and industrial goods, and real estate. LockBit also launched its Bug Bounty program, offering up to $1 million. This reward is offered for detecting vulnerabilities in their malware, leak sites, Tor network, or messaging service.

LockBit 3.0 builder scheme
The mechanism of LockBit builder

Black Basta

The Black Basta group first appeared this spring and, in the first two weeks, attacked at least 20 companies. The gang is supposed to consist of former members of Conti and REvil. Black Basta is campaigning using the malware QakBot, and a bank trojan used to steal victims’ financial data, including browser information, keystrokes, and credentials.

This ransomware is believed to have hit about 50 organizations in the United States over the last quarter, including the American Dental Association (ADA) and the Canadian food retailer Sobeys. More than half of the group’s targets were from the United States.

Hive

Hive, the third-most active group of ransomware this year, focuses on the industrial sector and health, energy, and agriculture organizations. According to the FBI, the hackers attacked 1,300 companies worldwide, especially in the health sector, and received about $100 million in ransom. It was reported that the United States Department of Homeland Security was responsible for the attack.

Hive group Darknet
Hive group’s leak page

In recent weeks, the group claimed responsibility for the attack on India’s energy company Tata Power, by posting the company’s data online and at several colleges in the United States. Experts believe Hive cooperates with other ransomware groups and has its own customer support and sales departments. In addition, the group also engages in triple extortion.

ALPHV/BlackCat

ALPHV/BlackCat is one of the most complex and flexible families of extortion software based on the Rust programming language, which has existed for about a year. The band is believed to be composed of former REvil gang members and is associated with BlackMatter (DarkSide). The group also runs a RaaS model, exploiting known vulnerabilities or unprotected credentials and then launching DDoS attacks to force the victim to pay the ransom. Additionally, BlackCat hackers disclose stolen data through their own search system.

ALPHV/BlackCat
ALPHV/BlackCat ransom note

The group’s objectives are to provide critical infrastructure, including airports, fuel pipeline operators and refineries, and the United States Department of Defense. Ransom claims amount to millions; even when the victim pays, the group does not always provide the promised decryption tools.

BianLian

A relatively new player who targets organizations in Australia, North America, and the UK. The group quickly launches new Management and Control Servers (C&C) into the network, indicating that hackers plan to increase activity significantly.

BianLian ransomware group
BianLian ransom note

Like many other ransomware programs, BianLian is based on Go, which gives it high flexibility and cross-platform. However, according to Redacted, the group comprises relatively inexperienced cybercriminals who must be equipped with the practical business aspects of extortion programs and related logistics. In addition, the group’s wide range of victims indicates that it is motivated by money rather than political

ideas.

Other New Groups

The world of ransomware is constantly changing, and several groups have been renamed: DarkSide is now called BlackMatter, DoppelPaymer has become Grief, and Rook has been renamed to Pandora. In addition, over the past year, new groups have appeared – Mindware, Cheers, RansomHouse, and DarkAngels. We will probably hear about them next year.

How to protect yourself

Your defenses should include safeguards for each of those phases:

  1. Reduce the attack surface by making internal apps inaccessible to the Internet and decreasing the number of vulnerable elements.
  2. Prevent compromise by employing a cloud-native proxy architecture that inspects all traffic inline and at scale, enforcing consistent security policies.
  3. Prevent lateral movement by connecting users directly to applications rather than the network. This would reduce the attack surface and contain threats using deception and workload segregation.
  4. Prevent data loss by inspecting all Internet-bound traffic, including encrypted channels, to prevent data theft.

The post Top famous Ransomware hack groups in 2022 appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/top-famous-ransomware-groups-2022/feed/ 0 12842