ALPHV: Breaking down the complexity of the most sophisticated ransomware

In our new threat intelligence report, Forescout’s Vedere Labs describes how it analyzed files and tools used by a subsidiary of the ALPHV ransomware group during an attack. ALPHV, also known as Black Cat, is a Ransomware-as-a-Service gang that was first discovered in November 2021. This gang has affected more than 60 organizations and large companies and is distinguished by the ransomware usage written in Rust, having a payload binary created for each specific target and supporting Windows and Linux variants, including specific functionality for VMware ESXi hosts.

Previous reports noted that the group was likely created by former members of other hacking groups, such as BlackMatter, REvil, and DarkSide. Their preference for attacking network infrastructure devices and hosts with exposed RDP has also been documented.

ALPHV has become widely known as “the most sophisticated ransomware of 2021”. On April 19, 2022, the FBI issued an alert that highlights details of known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the ALPHV.

Vedere Labs analyzed files and tools used by a subsidiary of the ALPHV ransomware group in an attack involving two separate exploits: penetrating a SonicWall firewall exposed to the Internet to gain initial network access, then moving around and encrypting a VMware ESXi virtual farm.

New findings break down the malware’s sophisticated behavior and outline ways to avoid damage, including:

  • Description of how to extract the malware’s embedded configuration file, which contains information that can be used in incident response, such as collected credentials or virtual machines spared from encryption.
  • The most detailed analysis of ALPHV’s encryption behavior, including description of a previously unreported communication protocol used to distribute encryption between multiple instances of the malware. This is the first time we’ve seen this behavior in ransomware, once again demonstrating the ingenuity of ALPHV.
  • An error handling bug that could prevent encryption on Linux targets by creating a dummy esxcli.

This new briefing presents a technical analysis of the incident focusing on initial access via SonicWall SRA and the ALPHV ransomware sample deployed on an ESXi server. From this analysis, we extract indicators of compromise and mitigation recommendations to help network defenders detect and mitigate attacks from ALPHV and other similar ransomware groups.

ALPHV is, alongside Conti and LockBit, currently one of the most dangerous and active ransomware groups. They take great pride in the complexity of their ransomware and just as they recently added encryption to their binaries setup, we expect them to continue adding more features that make doing business easier for their affiliates and make detection more difficult for defenders.

Ultimately, these new features could include different tactics and techniques that threaten even more organizations in new ways. Therefore, it is imperative that organizations use the IOCs we share to search and detect current ransomware in their networks, but it is also important to track information about new threats that we share with the community.

Forescout recommends that organizations use the following steps to mitigate risk:

  • Fix network infrastructure devices, especially those connected to the Internet, as they are often used for initial access.
  • Monitor external access from unknown IP addresses.
  • Check for known IOCs in the network.
  • Consider using network segmentation policies to isolate and restrict devices to minimize hacker movement.
  • Maintain server backups, including virtual machine snapshots.

For more information and technical analysis, read the full report.

Download the Threat Briefing

The post ALPHV: Breaking the Complexity of the Most Sophisticated Ransomware appeared first on Forescout.

*** This is a syndicated blog from Forescout’s Security Bloggers Network written by Stanislav Dashevskyi. Read the original post at:

Sharon D. Cole