BlackCat Creates Site for Victims to Query for Stolen Data

June 21, 2022

BlackCat Creates Site for Victims to Query for Stolen Data

Industry: N/A | Level: Strategic | Source: BleepingComputer

BlackCat/ALPHV ransomware gang adds pressure for organizations to pay ransoms as a new site was created by the gang, in which victim employees and customers can check if their data was stolen. The tactic was observed by Emisosft security analyst Brett Callow, discovering BlackCat’s latest attack against a hotel and spa company located in Oregon. The ransomware gang was able to obtain 112GB of data from the attack including employee data as well as 1,500 social security numbers associated with employees. The site for victims to individually query if they have been impacted includes sections for “Employee data” and “Guest data.” The employee data has been found to contain more sensitive information, as shared by BleepingComputer “While the customer guest data only contains names, arrival date, and stay costs, the employee data includes extremely sensitive information, such as names, Social Security Numbers, date of birth, phone numbers, and email addresses.” Victims are also at risk of the data being exposed in search results when it is indexed and queryable by search engines.

Analysis of Lockbit 2.0 Impact

June 14, 2022

Analysis of Lockbit 2.0 Impact

Industries: Construction, Federal Government, Real Estate, High Tech, Manufacturing, Professional, Legal, Real Estate, Wholesale & Retail | Level: Tactical | Source: Unit42

Palo Alto Unit 42 shared its investigation of Lockbit 2.0 labeled by the security team as the most “most impactful and widely deployed ransomware” during 2022. Numbers back up the claim, as Lockbit 2.0 was responsible for 46% of ransomware breaches tracked in 2022. Deployments observed of other ransomware strains are considerably lower, with second place Conti following at 17% and BlackCat/ALPHA with 10%. Lockbit has listed over 850 victims on its data leak site. Gauging the ransomware gang’s victimology profile, the group heavily targets the United States accounting for 49.6% of its victim base, with Italy 9.6& a distant second, and Germany 7.9% in third place. Industry impact is vast with the top five targets of professional and legal 45.6%, construction 12.8%, wholesale and retail 11.3%, and manufacturing 10.2%. The ransomware operators appear to be conducting campaigns more ruthlessly as dwell times have decreased leading to quicker ransomware deployments. Additionally, flexibility in ransomware payment and negotiations appeared to have lowered, as ransom payments are closer to the initial asking price vs. dropping the value in negotiations. From all indications, Lockbit is not slowing down as the group has been identified to be developing Lockbit 3.0 with stronger encryption processes.

Anvilogic Use Cases:

  • Potential Web Shell
  • Encoded Powershell Command
  • Create/Modify Schtasks
  • Remote Admin Tools
  • Create/Add Local/Domain User
  • Clear Windows Event Logs
  • Service Stop Commands
  • Modify Windows Defender
  • Windows Defender Disabled Detection
  • Mimikatz
  • Adfind Execution
  • AVL_UC6146 – Adfind Commands
  • Cobalt Strike Beacon
  • Rclone Execution

BlackCat Ransomware Strikes Carinthia

May 31, 2022

BlackCat Ransomware Strikes Carinthia

Industry: Government | Level: Strategic | Source: Euractiv

ALPHV/BlackCat ransomware gang struck Southern Austrian state, Carinthia with ransomware on Tuesday, May 24th, 2022, demanding a $5 million ransom. As reported by European media Euractiv, services impacted by the attack have included the state’s website, emails, issuing of passports or traffic fines, as well as COVID-19 testing and contact tracing. Gerd Kurath the head of Carinthia’s press service has stated an unwillingness by the state to meet the threat actor’s demands given no indications were found that data was compromised and remained available on backup systems. Additionally, the restoration of services and 3,000 impacted systems is expected to be available on Friday, May 27th, 2022.

Conti Group is Defunct

May 24, 2022

AdvIntel intelligence well-known for tracking Conti activity has discovered the shutdown of Conti ransom operations, as critical ransom features were identified to have been removed from the infamous Conti News blog.

Trend Micro Analyzes BlackCat Ransomware

April 26, 2022

Trend Micro Analyzes BlackCat Ransomware

Industry: N/A | Level: Tactical | Source: Trend Micro

Trend Micro shares details of an incident involving BlackCat ransomware to provide an insight into the infection sequence. The attack began with the identification of suspicious web shells on Microsoft Exchange Servers having exploited ProxyLogon and ProxyShell vulnerabilities. Activity following involved PowerShell having been spawned from Internet Information Services (IIS) worker process (w3wp.exe) to download a Cobalt Strike Beacon and a DLL file that was executed with rundll32.exe. Through process injection of Windows error reporting process, WerFault.exe the attackers initiated commands for discovery, credentials access with CrackMapExec dumping NTDS.dit and spreading laterally in the environment through SMB. Prior to ransomware execution, the attackers launched batch scripts however, the script was not captured by Trend Micro for analysis.

  • Anvilogic Scenario: BlackCat Ransomware: Post-Exploitation of Exchange
  • Anvilogic Use Cases:
    • Exchange New Export Request
    • Potential Web Shell
    • Potential ProxyShell
    • IIS Worker (W3WP) Spawn Command Line
    • Suspicious File written to Disk
    • Rundll32 Command Line
    • Common Active Directory Commands
    • SharpHound Enumeration
    • SharpHound Keywords
    • Python Execution
    • Rare Remote Thread
    • NTDSUtil.exe execution
    • Potential Lateral Movement via SMB
    • Executable Create Script Process
    • Encoded Powershell Command

BlackCat Breaches Florida International University

April 19, 2022

BlackCat Breaches Florida International University

Industry: Education | Level: Strategic | Source: TheRecord

The ransomware group, BlackCat (ALPHV) has breached Florida International University (FIU) compromising approximately 1.2TB of data. The attack reported by The Record has claimed data belonging to essentially all university personnel including, students, teachers, and staff. With data associated with contracts, accounting documents, social security numbers, email databases and other information. A statement offered by FIU acknowledged the ransomware group’s claim of the attack, however, has denied the breach of data, stating the investigation is ongoing. The message from the university reads “Today, a ransomware group posted that sensitive FIU data had been exfiltrated. We have been investigating and there is no indication thus far that sensitive information has been compromised. At this time, no further information is available.”

Mandiant’s Research of FIN7

April 12, 2022

Mandiant’s Research of FIN7

Industry: Financial Services, Food, Medical, Technology, Transportation, Utilities | Level: Tactical | Source: Mandiant

Mandiant provided updated research tracking the evolution of threat activity from threat group FIN7 between late 2021 to early 2022. The threat group has many associations with overlaps in many ransomware operations including Maze, Darkside, Blackmatter and ALPHV/Blackcat. Added by Mandiant, activity linking FIN7 and ransomware is identified though “Data theft extortion or ransomware deployment following FIN7-attributed activity at multiple organizations, as well as technical overlaps, suggests that FIN7 actors have been associated with various ransomware operations over time.” A variety of industries are targeted by FIN7 including financial services, food, medical, technology, transportation, and utilities. Activity associated with FIN7 is abundant and Mandiant has been tracking multiple UNCs (Uncategorized threat groups), appearing to be affiliated with FIN7. The threat group has continuously refined its arsenal, for example, their PowerShell backdoor called PowerPlant has gone through multiple iterations since 2022 and has been observed more frequently in newer intrusions as opposed to older malware such as LOADOUT and/or GRIFFON.

  • Anvilogic Use Cases:
    • Suspicious Executable by CMD.exe
    • Windows Admin$ Share Access
    • Windows Service Created
    • Executable Process from Suspicious Folder
    • Common Reconnaissance Commands
    • RDP Connection
    • RDP Logon/Logoff Event
    • Rundll32 Command Line
    • Create/Add Local/Domain User
    • Query Registry