New version of ALPHV/BlackCat ransomware hits victims

The United States’ Cybersecurity and Infrastructure Security Agency (CISA) has issued an updated advisory warning of a new version of the ALPHV/BlackCat ransomware locker, which it has observed targeting organisations in the US, mainly in the healthcare sector.

The new guidance, which is published alongside various law enforcement agencies and can be viewed in full here, forms part of CISA’s ongoing #StopRansomware campaign.

ALPHV/BlackCat was the subject of an FBI sting in December 2023, but the ransomware operators were quick to shrug off the impact on themselves and the crew’s affiliates, which include the group known as Scattered Spider/Octo Tempest, the operation behind the autumn 2023 Las Vegas cyber attacks.

The new advisory updates a number of previous ones, most recently issued at the time of the FBI takedown, and reveals that the ransomware gang has been taking steps to recover,

“ALPHV/BlackCat actors have since employed improvised communication methods by creating victim-specific emails to notify of the initial compromise,” the advisory notes.

“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimised. This is likely in response to the ALPHV/BlackCat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”

The advisory also details the release of the ALPHV/BlackCat 2.0 Sphynx update earlier in February. The new version of ALPHV/BlackCat has been rewritten to offer new features to affiliates, including better defence evasion capabilities and new tooling that lets it encrypt not just Windows and Linux devices, but also VMware environments.

ALPHV/BlackCat affiliates were previously notable for using advanced social engineering tactics to lay the groundwork for their ransomware attacks, often posing as the victim’s IT or helpdesk staff to obtain credentials, and this tactic does not seem to have changed.

After achieving access, the average affiliate uses a fairly standard playbook exploiting legitimate remote access tools and frameworks such as Brute Ratel and Cobalt Strike for command-and-control purposes, applications such as Metasploit to evade detection, and services such as Mega.nz and Dropbox to exfiltrate data prior to executing their locker.

Some affiliates have become exponents of the technique whereby no actual ransomware is deployed, and move straight to the data theft and extortion phase.

The advisory comes following a major US cyber attack against Change Healthcare, a provider of payment and revenue management in American hospitals, which at the time of writing had disrupted pharmacy and other services in multiple parts of the country for over a week.

This attack has been linked to ALPHV/BlackCat and there has been speculation that it may have arisen through exploitation of a critical zero-day in the ConnectWise ScreenConnect product.

“The cyber attack on Change Healthcare, the largest healthcare payment exchange platform, has significantly impacted pharmacies nationwide, prompting the adoption of electronic workarounds,” Andrew Costis, chapter lead for AttackIQ’s Adversary Research Team, told Computer Weekly via email.

“The vast amount of sensitive patient data stored within healthcare systems makes these organisations a dangerous target for ransomware groups, with the potential for far-reaching consequences. These attacks can cripple organisational operations and, more importantly, compromise patient health and safety. 

“Healthcare organisations must now prioritise validating their security controls against BlackCat’s TTPs as outlined in the joint advisory leveraging the MITRE ATT&CK framework. By emulating the behaviours exhibited by BlackCat, organizations can assess their security postures and pinpoint any vulnerabilities. This proactive approach is essential to mitigate the risk of future attacks,” said Costis.