Government Agencies Warn of ALPHV's Aggression Against Healthcare Organizations

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) have jointly released a cybersecurity advisory (CSA) to alert and inform about the tactics, techniques, and procedures (TTPs) associated with the ALPHV/Blackcat ransomware-as-a-service (RaaS). Despite law enforcement actions against the ransomware gang's data leak site in December 2023 this RaaS gang has not been deterred. As recent investigations as of February 2024 indicate an increase in attacks. The advisory updates previous releases and emphasizes the healthcare sector as a primary target, reflecting a stance of retaliation of law enforcement actions since the advisory notes "ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.

ALPHV/Blackcat has evolved, introducing the ALPHV Blackcat Ransomware 2.0 Sphynx update, which is observed to boasts enhanced evasion capabilities and expanded tooling, allowing for encryption across Windows, Linux devices, and VMWare instances. The technical details of the advisory reveal the group's reliance on advanced social engineering, the deployment of remote access software like AnyDesk and Splashtop, and the creation of a user account “aadmin" for persistence. Moreover, the use of Kerberos token generation, tunneling tools such as Plink and Ngrok, and command and control beacons like Brute Ratel C4 and Cobalt Strike are identified as notable tools utilized in ALPHV/Blackcat's operations. Detection engineers are advised to monitor for these activities, alongside the use of adversary-in-the-middle attack frameworks like Evilginx2, which facilitates the theft of multi-factor authentication credentials.

In efforts to maintain stealth, ALPHV affiliates leverage allowlisted applications and clear logs to evade detection. Furthermore use of legitimate and trusted services like Mega[.]nz and Dropbox for data exfiltration and the deployment of ransomware. Notably, some affiliates opt for extortion without deploying ransomware, a technique which bypasses the overhead of data encryption and increases speed of their operation. The advisory encourages organizations, especially within the healthcare sector, to adopt recommended mitigations to reduce the likelihood and impact of these ransomware and data extortion incidents.

ALPHV/Blackcat's operations demonstrated despite law enforcement efforts to disrupt their infrastructure, ransomware groups can recover or splinter through affiliate networks unless arrests are made. To ensure are defenses are as enduring as their penchant for cybercrime, defenders are encouraged to enhance their security posture by adopting detection strategies informed by the TTPs identified and circulated within the cybersecurity community.