BlackCat/ALPHV Affiliate Leverages Malvertising to Drop Ransomware Payload


November 15, 2023

World map

A BlackCat /ALPHV affiliate attacker has been observed leveraging malvertising to deliver a ransomware payload disguised as legitimate software downloads via attacker-controlled websites that serve up fake Google ads for product including Cisco AnyCOnnect, Slack, Advanced IP Scanner, and WinSCP.

“Nitrogen is initial-access malware that leverages Python libraries for stealth. This foothold provides intruders with an initial entry into the target organisation’s IT environment. Once the hackers have that initial foothold, they can then infect the target with the malware of their choosing,” Computer Weekly reports the researchers as stating.

“Organisations need to start including browser-based attacks, including those that use fake advertising, as part of user awareness training. Browser-based attacks are increasingly leading to hands-on ransomware intrusions and infostealers that enable ransomware intrusions later."

Takeaway: The reality here is that the vast majority of organizations out there simply cannot defend against these well-resourced, motivated attackers who are increasingly observed leveraging a wide variety of very advanced attack methodologies.  

Ransomware attacks on critical infrastructure providers and other organizations are rising to the level of cyber-terrorism, and the government needs to start treating them as such.  

Ransomware operators are flush with cash and willing to invest significant resources into improving their TTPs, finding novel ways to gain initial access, establish persistence, compromise credentials, and move laterally through the targeted network.

This is evident in the marked increase in the exploitation of known vulnerabilities, the surprising increase in the use of zero-days, the application of more advanced techniques like DLL side-loading and Living-off-the-Land techniques to abuse of LoLBins, as well as the creativity observed in establishing new infection vectors.

This trend is likely to continue as threat actors continue to automate more aspects of their attack sequences. We see evidence of this automation in the hundreds of organizations that have been hit by the Cl0p ransomware gang in just the last few weeks.

Just in the last year we have seen ransomware operators improve efficiencies in the attack progression across the board for initial compromise, improved stealth, bypassing endpoint protection, as well as in payload delivery methods and exponentially improving encryption speeds.

In fact, recent reporting indicates ransomware operators have reduced the time to infection after initial compromise from an average 4.5 days to a matter of hours. This is concerning, as such a significant reduction in time-to-infection means defenders have an even smaller window with which to work in order to detect and respond to these stealthy attacks.

Hundreds or more victims have been hit by the Cl0p ransomware gang alone this year as they continue to exploit known vulnerabilities in the MoveIT and GoAnywhere MFT software. We also saw signs of automation in attacks exploiting a host of other known, patchable vulnerabilities throughout 2023.  

In early April, researchers published an analysis of a new semi-autonomous ransomware strain dubbed Rorschach, noted for its automation, fast encryption speed, and stealthy DLL side-loading for security evasion and persistence.  

Later in April, the Vice Society ransomware gang was observed using Living-off-the-Land (LotL) techniques with a custom PowerShell-based tool that automates data exfiltration on targeted networks, and the Play ransomware gang also developed two new custom data exfiltration tools.  

There are plenty of examples of advancements in TTPs of ransomware operations out there, and we are seeing more tactics and techniques employed that were previously only observed in state-sponsored APT operations.

The US government needs to stop telling American companies that they have to just to just fend for themselves. We need more than proclamations. We need intervention to protect organizations from what are known to be nation-state threat actors who freelance as cybercriminal attackers on the side. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.