ALPHV / Blackcat Exit Scam?

The ALPHV / Blackcat ransomware saga the last 2 weeks has been pretty wild.

Posted by Zara PerumalMarch 6, 2024- 3 min read

ALPHV / Blackcat Exit Scam?

What Happened

Context

Who is ALPHV?

ALPHV or BlackCat / Noberus is a ransomware strain first detected in November 2021. The operators are a Russian speaking group acting as a Ransomware as a Service (RASS) and are related to BlackMatter and DarkSide hacking groups. ALPHV advertises on dark web forums and private forums e.g. XSS. And for the engineers, ALPHV is an early malware adopter of Rust.

Context Ransomware Landscape

Ransomware gangs have had an exciting few years.

Conti was a notorious and prolific ransomware operator targeting banks, health services and more. During the 2022 Russia Invasion of Ukraine they had a division in their operations resulting in a leak of their own data and disbanding soon after.

Ransomware has gained traction and proliferation, attacking more and more victims, and targeting many operations across critical infrastructure from Financial Services to Healthcare. Governments have been stepping up their response from public safety, preparation and disruption. Most recently the Lockbit takedown or Operation Cronos was an incredibly coordinated effort from global law enforcement agencies to disrupt their servers and operations.

Notably ransomware groups exist in a volatile ecosystem with code leaks, internal politics and scams; groups can disband and reform as smaller, but less centralized, organizations. As global law enforcement agencies are showing a desire and ability to takedown ransomware groups, current ransomware operators have incentive to cash out or exit the ransomware ecosystem. However, historical activity implies a greater likelihood of new ransomware strains and group restructuring/reforming, rather than full closure of operations.

What’s next?

We expect the ransomware saga to continue this year with more fireworks. Despite the constant activity, some of the prevention measures remain the same

  1. Data backups and fine grained access preventions – can you mitigate the damage of a leak.

  2. Monitoring latest tactics trends, malware variants, targets, and domains.

  3. Red team exercises and table tops to test your response capabilities at different levels of your organization.

Sources:

  1. VX underground:

    https://twitter.com/vxunderground/status/1765018555739779527

  2. CISA

    https://www.cisa.gov/news-events/alerts/2022/04/22/fbi-releases-iocs-associated-blackcatalphv-ransomware

  3. BlackCat Disruption

    https://www.wired.com/story/alphv-blackcat-ransomware-doj-takedown/

  4. BlackCat Disruption

    https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-22nd-2023-blackcat-hacked/

  5. https://krebsonsecurity.com/2024/03/blackcat-ransomware-group-implodes-after-apparent-22m-ransom-payment-by-change-healthcare/

  6. https://www.withsecure.com/en/expertise/blog-posts/2023-ransomware-rookies-are-a-remix-of-conti-and-other-classics

  7. https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware/

  8. https://www.whitehouse.gov/briefing-room/statements-releases/2023/11/01/fact-sheet-biden-harris-administration-convenes-third-global-gathering-to-counter-ransomware/

  9. https://www.statnews.com/2023/11/17/hospital-ransomware-attack-patient-deaths-study/

  10. https://www.akamai.com/blog/security/learning-from-the-lockbit-takedown

  11. https://twitter.com/fwosar?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor

Back to blog