The latest research on the BlackCat/ALPHV ransomware group revealed that the gang evolved its tradecraft earlier this year to launch more powerful attacks. Moreover, in an advisory from 2022, it was listed among the top 10 most active ransomware groups by multiple research entities. With a despicable track record of stealing sensitive financial and medical information from different firms, the group continues to strike hard against many more organizations.
What’s the update?
In the latest discovery, Trend Micro researchers found that the gang was mimicking the website of a well-known Windows application WinSCP, used for file transfer, to infect victims.
- The fake website was distributed via search engines such as Bing or Google.
- It acts as a lure to potentially infect the computers of system administrators, web admins, and IT professionals and gain administrative privileges.
- As a result, this enabled the attackers to establish persistence and steal passwords and access backup servers.
Other tools used in the campaign
The BlackCat operators were also observed using the following tools in the subsequent phases. These included the use of PowerShell commands, Findstr, AdFind, PuTTY Secure Copy, and PowerView to retrieve Active Directory, gather user data, extract ZIP files, lateral movement, and bypass antimalware programs, among others.
In addition to the above tools, the operators also used the SpyBoy Terminator. The tool can disable several Windows security tools by using a BYOVD mechanism.
BlackCat notoriety on the rise
- BlackCat ransomware came up with an improved variant, dubbed Sphynx, that prioritized speed and stealth in an attempt to evade security guardrails and achieve its goals.
- In May, Trend Micro shared details on a BlackCat ransomware incident that occurred in February. The attackers were observed deploying new signed kernel drivers signed by several Microsoft hardware developer accounts to bypass security detection.
- At the beginning of the year, the group added a new extortion technique that included creating a copy of the victim’s site to post stolen data on it.
Final words
Ensuring the prevention of unauthorized access, along with early detection and response, is of utmost importance within an organization's network. Prompt remediation is equally crucial, as any delays in response time can result in severe consequences.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_541428433.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/0cbd_shutterstock_2245564489.jpg)
