BlackCat/ALPHV Ransomware Upgrades Increase Encryption Speed and Stealth

Date:

June 1, 2023

World map

The BlackCat/ALPHV ransomware developers released an improved variant dubbed Sphynx that dramatically increases both encryption speed and stealth in bypassing security solutions.

“BlackCat, also called ALPHV and Noberus, is the first Rust-language-based ransomware strain spotted in the wild. Active since November 2021, it has emerged as a formidable ransomware actor, victimizing more than 350 targets as of May 2023,” The Hacker News reports.

“The findings provide a window into the ever-evolving cybercrime ecosystem wherein threat actors enhance their tooling and tradecraft to increase the likelihood of a successful compromise, not to mention thwart detection and evade analysis.”

Specifically, the Sphynx version of BlackCat incorporates junk code and encrypted strings, while also reworking the command line arguments passed to the binary.

The Sphynx variant also automates network discovery to identify additional systems to infect and deletes volume shadow copies to prevent restoration via security tool “rollback” features.

Takeaway: BlackCat/ALPHV is easily the biggest threat out there right now in the ransomware threatscape, as noted in our recently published report, Power Rankings: 2022 Ransomware Malicious Quartile. While they have not reached the volume of attacks that counterparts like LockBit boast, they certainly have the most technically advanced RaaS platform offering in the market.

First observed in late 2021, BlackCat/ALPHV already had a well-developed RaaS platform and was one of the more active groups over the last year. Reports that they have improved encryption speed and the ability to circumvent security solutions are of concern.

BlackCat/ALPHV has the ability to disable security tools and evade analysis. BlackCat/ALPHV had rapidly become one of the more active RaaS platforms over the course of 2022, and typically demands ransoms in the $400,000 to $3 million range.  

BlackCat/ALPHV was observed to be the first ransomware group using RUST, a secure programming language that offers exceptional performance for concurrent processing. The ransomware also leverages Windows scripting to deploy the payload and to compromise additional hosts.

BlackCat/ALPHV has a wide variability in targeting, but most often focuses on the financial, manufacturing, legal and professional services industries and exfiltrates victim data prior to the execution of the ransomware – including from cloud-based deployments - to be leveraged in double extortion schemes to compel payment of the ransom demand.

The automation of network discovery to expand the range of addressable targets is also concerning. Automation means ransomware operators hit more victims faster, which translates to more ransoms collected and more fiscal pain for the victim organizations, which is the name of the game for these threat actors.

For example, hundreds of organizations have been hit in early 2023 by the Cl0p ransomware gang as they continue to exploit a known vulnerability in the GoAnywhere software. We are also seeing signs of automation is attacks exploiting a similar vulnerability in IBM Aspera Faspex. ‍

As well, recently researchers published analysis of a new semi-autonomous ransomware strain dubbed Rorschach that was noted for its automation, encryption speed, stealthy DLL side-loading, and advanced security evasion.

Additionally, the Vice Society ransomware gang was observed using Living-off-the-Land (LotL) techniques with a custom PowerShell-based tool that automates data exfiltration on targeted networks, and the Play ransomware gang also developed two new custom data exfiltration tools.

These are multi-staged attacks, where the threat actors are designed to infiltrate as much of the victim network as possible to exfiltrate sensitive data for extortion. This ingress and lateral movement on the targeted network takes time, so automating aspects of the attack sequence allows threat actors to compromise targets faster.

Some of these automated techniques and attack tooling are extremely difficult to detect, but many of these techniques can only be leveraged if the target has left themselves open to the attack. Simple things like not using weak or default passwords, which helps prevent brute-force or dictionary attacks.

Timely patching of vulnerabilities – both old and new - is another big one all organizations should prioritize to prevent exploitation. These attackers are out there somewhere scanning for any opening into the target network they can find.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.