BlackCat/ALPHV Sphynx Ransomware Variant Targets Azure Storage

Date:

September 18, 2023

World map

The BlackCat/ALPHV ransomware gang has been observed harvesting One-Time Passwords (OTP) to bypass security tools to drop the recently released Sphynx variant to encrypt Azure cloud storage deployments.

“After gaining access to the Sophos Central account using a stolen One-Time Password (OTP), they disabled Tamper Protection and modified the security policies. These actions were possible after stealing the OTP from the victim's LastPass vault using the LastPass Chrome extension,” Bleeping Computer reports.

“They infiltrated the victim's Azure portal using a stolen Azure key that provided them access to the targeted storage accounts. The keys used in the attack were injected within the ransomware binary after being encoded using Base64.”

The attackers were also observed abusing multiple Remote Monitoring and Management (RMM) tools including Atera, AnyDesk, and Splashtop.

First observed in late 2021, BlackCat/ALPHV employs a well-developed RaaS platform that encrypts by way of an AES algorithm. The code is highly customizable and includes JSON configurations for affiliate customization.  

BlackCat/ALPHV recently released the Sphynx variant with upgraded evasion capabilities that can disable security tools and evade analysis. Sphynx is probably the most advanced ransomware family at present, capable of employing different encryption routines, advanced self-propagation, and hinders hypervisors for obfuscation and anti-analysis.

BlackCat/ALPHV can impact systems running Windows, VMWare ESXi and Linux (including Debian, ReadyNAS, Ubuntu, and Synology distributions).

Takeaway: Ransomware developers have only recently turned their focus and vast resources to improving the earliest attack stages, automating scans and exploitation of known vulnerabilities for initial compromise and abusing legitimate tools on the network – or leveraging custom tooling for lateral movement and data exfiltration.  

Attackers continue to invest ransom proceeds into hiring really talented developers who are constantly finding new ways to infect victims, evade detection, exfiltrate more sensitive data, and encrypt more files faster – so now the targeting of cloud installations should be of great concern.

Most organizations probably assume off-site data storage to be relatively immune to ransomware attacks, but that is not a safe assumption. Attackers are well funded, and we will continue to see them innovate on more advanced attack sequences.  

AV and NGAV are for the most part obsolete when it comes to protecting organizations against these attacks. EDR and XDR might offer a little better protection, but it is clear that more advanced groups like BlackCat/ALPHV are routinely bypassing these security tools as well.

If you look at the pace of evolution of RaaS platforms over the last 2-3 years, it’s pretty plain to see that the ransomware threat is still in its infancy, and attackers are keen to continue developing more advanced tools and techniques.

Most organizations are simply not prepared to address advanced ransomware attacks of this nature – the threat actors are playing chess here and most of their targets don’t even have the pieces they need to mount a decent checkers game.

This is especially the case for some of the most targeted verticals like healthcare and education – they simply do not have the resources to mount a viable defense against these attacks, so they are basically sitting ducks.

We are just at the very beginning of this fight, and we are already getting our asses kicked. Threat actors in this space have nearly unlimited resources and continue to innovate at a rapid pace while their targets are debating budgets and resource allocation constraints.  

The disparity between attacker capabilities and most organization's defenses is vast, so we can expect there is going to be a lot of pain inflicted on victims - we can either continue to passively accept this fact or we can choose to invest the resources required to neutralize this threat.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile Q2 2023 (PDF).