Cybereason Analysis of ALPHV/BlackCat Ransomware

Industry: Aviation, Construction, Commercial Services, Insurance, Machinery, Oil, Pharmaceuticals, Retail, Telecommunication, Transportation | Level: Tactical | Source: Cybereason

Cybereason provides analysis of ALPHV (aka Blackcat) RaaS (Ransomware as a Service), with operators likely associated with Russia. The ransomware strain is written in Rust program language with Windows and Linux variants. The group operates with a double extortion model with some cases observing a triple extortion model, involving DDoS attacks. Organizationally ALPHV/BlackCat operators are affiliates of DarkSide/BlackMatter ransomware, in addition, possess infrastructure and tools that are similar to LockBit ransomware. From its arrival in cyberspace, the ransomware strain has impacted a number of organizations with notable victims mentioned including "German oil companies, an Italian luxury fashion brand and a Swiss Aviation company." Whist having a variety of targets, "BlackCat has attacked various industries, including telecommunication, commercial services, insurance, retail, machinery, pharmaceuticals, transportation, and construction industries." Activity observed from the ransomware execution includes privilege escalation activity, wmic running reconnaissance, executing fsutil to set symbolic links, stopping services, registry modification requests and deleting volume shadow copies.

• Anvilogic Scenario: Initial ALPHV/BlackCat Ransomware - Behaviors
• Anvilogic Use Cases:
• WinRM Tools
• Fsutil fsinfo execution
• Registry key added with reg.exe
• Service Stop Commands
• Inhibit System Recovery commands