The ALPHV, often known as the Blackcat ransomware gang, is concentrating on US healthcare programs, in accordance with a joint cybersecurity advisory by the FBI, CISA, and the Division of Well being and Human Companies (SSH).
The advisory, which was printed as a part of the #StopRansomware effort that publishes advisories towards numerous ransomware variants and actors, additionally detailed new TTPs the group has been implementing since its return from a international regulation enforcement takedown in Dec 2023.
BlackCat, additionally tracked as Noberus, is a Russia-based menace actor group that primarily operates a ransomware-as-a-service (RaaS) mannequin written within the Rust programming language. The group first surfaced in Nov 2021 as a doable rebranding of Darkside, the ransomware actor accountable for the Aug 2020 cyberattack on Georgia-based Colonial Pipeline.
The gang, identified to make use of social engineering methods and open supply analysis on an organization to achieve preliminary entry, is probably going utilizing the actively exploited, essential ScreenConnect authentication bypass vulnerability as a brand new an infection methodology, the advisory’s indicators of compromise (IOCs) affirm.
“After having access to a sufferer community, ALPHV Blackcat associates deploy distant entry software program akin to AnyDesk, Mega sync, and Splashtop in preparation of knowledge exfiltration,” the advisory mentioned. “ALPHV Blackcat associates declare to make use of Brute Ratel C4 and Cobalt Strike as beacons to command and management servers. (They) additionally use the open-source adversary-in-the-middle assault framework Evilginx2, which permits them to acquire multifactor authentication (MFA) credentials, login credentials, and session cookies.”
After a coordinated takedown by authorities in Dec 2023, which allowed the FBI to develop a decryptor and supply 500 BlackCat victims to revive their programs, the group rapidly regained entry to seized servers and websites and shifted operations to a brand new Tor leak web site.
