Lessons from a 30-Day ALPHV/Blackcat Ransomware Intrusion

An investigation of a network compromise from Sygnia's Incident Response (IR) team reveals the complexities of a 30-day ALPHV/Blackcat ransomware attack. The documented intrusion offers not only a detailed walkthrough but also valuable lessons learned. The attackers exploited a trusted third-party, showcasing their strategic patience through an "orientation period" to study and navigate the victim's network, including both on-premises and Azure environments. Sygnia underscores the significance of "data-driven actions" in response to such cyber threats, emphasizing the need for decisive leadership decisions, such as isolating network connectivity to prevent further data breaches. Additionally, the importance of evaluating the stolen data's scope and sensitivity is crucial for an informed response to extortion demands.

During the initial phase of the intrusion, spanning the first five days, the attacker engaged in a systematic effort to establish a foothold within the network. Beginning with RDP and SMB login attempts from a compromised third-party vendor’s network, the attacker was able to successfully log on to key servers. Utilizing tunneling tools, they executed a series of actions including privilege escalation attempts and deploying Cobalt Strike for further lateral movement and command execution. Notably, they employed a combination of PowerShell scripts and a privilege escalation tool exploiting a vulnerability -  CVE-2022-24521 affecting the Windows Common Log File System (CLFS). Additional tools utilized in this phase included the SoftPerfect Network Scanner and Rclone for data exfiltration. Techniques for credential theft were initiated through Kerberoasting attacks and queries of LSA settings in the registry.

Progressing into the lateral movement phase from day 6 to day 20, the attacker engaged in reconnaissance and leveraged Cobalt Strike for further infiltration. By accessing credential data stored in the process memory of LSASS and attempting to dump the Security Account Manager (SAM) registry hive, they sought to obtain and exploit sensitive credential information. Moreover, the creation of batch scripts like ‘sap.bat’ for persistence, and remote service creation executing cmd commands were made evident from Windows log events - 7045. Utilizing tools like ‘nslookup’ and remote desktop protocol (RDP) connections, allowed the attackers to extend their footprint within the network. Tools like Process Hacker and a network scanning utility were deployed to gather intelligence on other domains and systems. This phase also saw the use of proxy tools like Stowaway to establish persistent access and facilitate movement across the network.

In the final stages of the intrusion, during days 27 to 30, the attackers focused their efforts towards data exfiltration, employing Rclone to transfer data to cloud storage solutions like Wasabi, effectively bypassing some firewall restrictions. The renaming of Rclone to common system processes like 'svchost.exe' was a clear attempt to disguise malicious activity and evade detection. A filter was also used to select specific file types, they targeted a variety of content for theft, showcasing their intent to obtain sensitive and valuable information. Manipulation of Windows Defender settings through registry modifications and the disabling of scheduled tasks related to Defender was observed with the execution of the 'defoff.bat' script.

The extortion phase, detailed from days 30 to 45, saw the attackers leveraging the stolen data to exert pressure on the victim organization through a series of threatening emails, asserting the exfiltration of sensitive data. The eventual publication of stolen files on the dark web serves as a stark reminder of the persistent threat posed by ransomware groups like ALPHV/BlackCat. This ransomware gang has been trending in the news, particularly for their involvement in attacks against healthcare organizations, with the most recent and damaging being against a subsidiary of UnitedHealth Group Change Healthcare on February 21.