Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime as-a-service

FBI Alert: Have You Been Bitten by BlackCat Ransomware?

Feds Seek Intelligence to Disrupt the Ransomware Group Also Known as Alphv
FBI Alert: Have You Been Bitten by BlackCat Ransomware?
Ransomware encryption alert and ransom demands used by Alphv, aka BlackCat (Source: MalwareHunterTeam, SentinelLabs)

Has your organization been bitten by BlackCat ransomware, aka Alphv? If so, the FBI wants to hear details about how attackers broke in, the cryptocurrency wallet addresses used to receive ransoms and other information that could help law enforcement authorities better track and block future attacks.

See Also: Gartner Market Guide for DFIR Retainer Services

"The FBI is seeking any information that can be shared, to include IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file and/or a benign sample of an encrypted file," the bureau says in a recent flash alert.

The FBI flash alert also includes known indicators of compromise tied to Alphv/BlackCat, as well as tactics, techniques and procedures associated with the group's attacks, not least so organizations can better protect themselves and watch for attacks by this ransomware-as-a-service operation.

The FBI says it knows of at least 60 organizations worldwide that fell victim to Alphv/BlackCat by March. The criminal group posts names and leaks data for a subset of its victims, as part of a double-extortion tactic designed to increase the pressure on a victim to meet its ransom demand.

"BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount," the FBI says. "Many of the developers and money launderers for BlackCat/Alphv are linked to DarkSide/BlackMatter, indicating they have extensive networks and experience with ransomware operations."

Not all ransomware operations run data leak sites and of ones that do, only a fraction may get listed. But based on victims listed by ransomware operations on their data leak sites, Alphv/BlackCat was the seventh-most-prolific operation in December 2021. (Source: Unit 42, Palo Alto Networks' threat intelligence team)

Since March 30, the Alphv/BlackCat data leak site has listed 16 fresh victims, according to Israeli threat intelligence firm Kela.

Multiple security experts have suggested that DarkSide, which went dark last summer after its politically disastrous attack against Colonial Pipeline in the U.S., later rebooted as BlackMatter and then by last November as Alphv/BlackCat (see: Ransomware: Alphv/BlackCat Is DarkSide/BlackMatter Reboot).

Requests for Information Sharing

The FBI alert, and request for details from targets or victims, highlights just how much the law enforcement approach to ransomware as well as cybercrime overall has changed compared to a decade ago, says attorney Guillermo Christensen, managing partner of the Washington office of law firm Ice Miller.

Unlike before, sharing information with the likes of the FBI "is much more the norm, and law enforcement has also become far more savvy about this," says Christensen, who regularly assists organizations with planning their ransomware defenses and incident response.

"They know what they need. They don't ask for the universe; they ask for things that can really help," he tells Information Security Media Group. "So you don't get the 'Well, we'd like to come in and image your servers' kind of requests, which most companies are not going to do. They ask instead for the telemetry, the logs, the indicators - as much for knowledge about how the bad guys got into the system."

Details about how attackers succeeded may be equally or more important to law enforcement authorities than the fact of their success, at least in terms of attempting to identify and disrupt the groups and individuals involved, Christensen says.

"What they did in the system is important, but how they came in is really key, because that's what they use to go back out and try to figure out who's involved," he says of law enforcement agencies. "Eventually, they aggregate all that and they hopefully find ways to either find them or block them or do something to them, which is invaluable."

Tracking Cryptocurrency Wallets

One benefit of this type of information sharing is that it can help law enforcement agencies and blockchain intelligence firms to better tie specific cryptocurrency wallet addresses to different groups.

In February, for example, blockchain analysis firm Chainalysis reported that it had so far identified $692 million known to have been received by ransomware addresses in 2020. That was a notable rise from the figure it first reported 12 months ago, thanks to law enforcement agencies and private intelligence firms having amassed fresh intelligence tying individual criminals or syndicates to specific wallet addresses.

Total cryptocurrency value flowing to known ransomware addresses; information current as of January and likely to change as new intelligence comes to light (Source: Chainalysis)

So far for 2021, Chainalysis says it has traced $602 million in payments to known ransomware addresses, and it expects that figure to increase significantly in the coming months (see: Ransomware Proceeds: $400 Million Routed to Russia in 2021).

Standard Defenses Still Required

Alphv/BlackCat ransomware is unusual in that it's coded in a secure programming language called Rust. Development experts have told ISMG that seeing a cybercrime operation embracing Rust is no surprise. In general, they say, using Rust - compared to coding in C++ - makes it easier to build working applications and produces applications that are faster, make more effective use of memory and are relatively difficult to reverse engineer (see: Why Ransomware Groups Such as BlackCat Are Turning to Rust).

Experts also caution that potential ransomware victims would do well to focus not on the language in which malware gets written, but rather on having the right types of defenses in place, which will be more likely to mitigate any attack involving crypto-locking malware.

In recent months, cybersecurity agencies in the U.S., U.K. and beyond have continued to issue alerts about the latest strains of ransomware, oftentimes backed by detailed defensive recommendations (see: Ransomware Alert: AvosLocker Hits Critical Infrastructure).

But in terms of defenses, such guidance remains long-standing. "Ransomware attacks have been increasing for four years. It is hard to believe that new warnings are necessary," says William Murray, a veteran management consultant and trainer in information assurance who specializes in policy, governance and applications. "Operators have had months to prepare. However, the continued success of these attacks suggest that many have failed to heed the warnings."

Murray says the basics of an effective ransomware defense remain little changed in recent years. For any organization that has yet to "heed the warnings," he recommends first focusing on these four steps.

  1. Revisit your backup and recovery plan such that you can recover entire applications and networks, rather than simply files, in hours to days.
  2. Implement strong user authentication - at least two kinds of evidence, at least one of which is resistant to replay attacks.
  3. Change your default access rule from "read/write" to "read only" for data and "execute only" for programs.
  4. Structure your network to resist lateral attacks from within; start by isolating browsing and email from mission critical applications.

The above should be achievable in months, if not weeks, Murray says. In the longer term, he recommends putting in place a robust zero trust approach as well as enforcing least privileged access across the organization.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.