ALPHV / Blackcat Exit Scam?
The ALPHV / Blackcat ransomware saga the last 2 weeks has been pretty wild.
What Happened
Late last year,
ALPHV / Black Cat targeted MGM
along with Scattered Spider
The
FBI seized their servers
in December 2023 -- they recovered
February 20th 2024, Lockbit (a separate ransomware group)
servers were seized by US and UK Governments
February 21th,
United Healthcare was ransomed
Reportedly, UnitedHealth's Change Healthcare paid the $22M
ransom
March 5th, the
exit scam begins
– ALPHV posts Federal Takedown on their side
Allegedly admins stole the ransom from affiliates, offered source code for sale, and pretended to be taken down.
Context
Who is ALPHV?
ALPHV or BlackCat / Noberus is a ransomware strain first detected in November 2021. The operators are a Russian speaking group acting as a Ransomware as a Service (RASS) and are related to BlackMatter and DarkSide hacking groups. ALPHV advertises on dark web forums and private forums e.g. XSS. And for the engineers, ALPHV is an early malware adopter of Rust.
Context Ransomware Landscape
Ransomware gangs have had an exciting few years.
Conti was a notorious and prolific ransomware operator targeting banks, health services and more. During the 2022 Russia Invasion of Ukraine they had a division in their operations resulting in a leak of their own data and disbanding soon after.
Ransomware has gained traction and proliferation, attacking more and more victims, and targeting many operations across critical infrastructure from Financial Services to Healthcare. Governments have been stepping up their response from public safety, preparation and disruption. Most recently the Lockbit takedown or Operation Cronos was an incredibly coordinated effort from global law enforcement agencies to disrupt their servers and operations.
Notably ransomware groups exist in a volatile ecosystem with code leaks, internal politics and scams; groups can disband and reform as smaller, but less centralized, organizations. As global law enforcement agencies are showing a desire and ability to takedown ransomware groups, current ransomware operators have incentive to cash out or exit the ransomware ecosystem. However, historical activity implies a greater likelihood of new ransomware strains and group restructuring/reforming, rather than full closure of operations.
What’s next?
We expect the ransomware saga to continue this year with more fireworks. Despite the constant activity, some of the prevention measures remain the same
Data backups and fine grained access preventions – can you mitigate the damage of a leak.
Monitoring latest tactics trends, malware variants, targets, and domains.
Red team exercises and table tops to test your response capabilities at different levels of your organization.
Sources:
VX underground:
https://twitter.com/vxunderground/status/1765018555739779527
CISA
https://www.cisa.gov/news-events/alerts/2022/04/22/fbi-releases-iocs-associated-blackcatalphv-ransomware
BlackCat Disruption
https://www.wired.com/story/alphv-blackcat-ransomware-doj-takedown/
BlackCat Disruption
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-22nd-2023-blackcat-hacked/
https://krebsonsecurity.com/2024/03/blackcat-ransomware-group-implodes-after-apparent-22m-ransom-payment-by-change-healthcare/
https://www.withsecure.com/en/expertise/blog-posts/2023-ransomware-rookies-are-a-remix-of-conti-and-other-classics
https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware/
https://www.whitehouse.gov/briefing-room/statements-releases/2023/11/01/fact-sheet-biden-harris-administration-convenes-third-global-gathering-to-counter-ransomware/
https://www.statnews.com/2023/11/17/hospital-ransomware-attack-patient-deaths-study/
https://www.akamai.com/blog/security/learning-from-the-lockbit-takedown
https://twitter.com/fwosar?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor