In a new threat briefing report, Forescout’s Vedere Labs describes how it analysed files and tools used by an affiliate of the ALPHV ransomware group during an attack.
ALPHV, also known as Black Cat, is a Ransomware-as-a-Service gang that was first discovered in November 2021. This gang has hit more than 60 organisations and large enterprises and is distinguished for using ransomware written in Rust, having a binary payload that is created for each specific target, and supporting Windows and Linux variants, including specific capabilities for VMware ESXi hosts.
Previous reports have noticed that the group was probably created by former members of other cybercriminal hacking groups, such as BlackMatter, REvil and DarkSide. Their preference for attacking network infrastructure devices and hosts with exposed RDP has also been documented.
ALPHV became widely known as “the most sophisticated ransomware of 2021.” On April 19, 2022, the FBI released an alert that highlights details of known indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) associated with ALPHV.
Vedere Labs analysed files and tools used by an affiliate of the ALPHV ransomware group during an attack involving two distinct exploitations: penetrating an unpatched and end-of-life SonicWall SRA appliance to gain initial access to the network and then moving to and encrypting a VMware ESXi virtual farm.
New findings break down the malware’s sophisticated behaviour and present ways to avoid damage, including:
- The description of how to extract the config file embedded in the malware, which contains information that can be used in incident response, such as harvested credentials or virtual machines spared from encryption.
- The most detailed analysis of the encryption behaviour of ALPHV, including the description of a previously unreported communication protocol used to distribute encryption between multiple instances of the malware. This is the first time we have observed this behaviour in a ransomware, once again showing ALPHV’s ingenuity.
- An error-handling bug that could prevent encryption on Linux targets by creating a dummy esxcli.
This new briefing presents a technical analysis of the incident focusing on the initial access via SonicWall SRA and the ALPHV ransomware sample deployed at an ESXi server. From this analysis, we extract indicators of compromise and mitigation recommendations to help network defenders to detect and mitigate attacks from ALPHV and other similar ransomware groups.
ALPHV is, alongside Conti and LockBit, currently one of the most dangerous and active ransomware groups. They are very proud of the complexity of their ransomware and just like they recently added encryption to the config in their binaries, we expect them to keep adding more features that make business easier for their affiliates and detection more difficult for defenders.
Ultimately, these new features could include different tactics and techniques that threaten even more organisations in new ways. Therefore, it is imperative that organisations use the IOCs we share to hunt for and detect current ransomware in their networks, but it is also important to keep up with the intelligence around new threats that we share with the community.
Forescout recommends that organisations use the following steps to mitigate risks:
- Patch network infrastructure devices, especially internet-facing ones, as those are often used for initial access.
- Monitor external access from unknown IP addresses.
- Check for the presence of known IOCs in the network.
- Consider use of network segmentation policies to isolate and restrict devices to minimise the movement of hackers.
- Maintain backups of servers, including virtual machine snapshots.
For more information and technical analysis, read the full report.