ALPHV Ransomware Hits North Carolina A&T University

April 12, 2022

ALPHV Ransomware Hits North Carolina A&T University

Industry: Education | Level: Strategic | Source: TheRecord

ALPHV/Blackcat ransomware has compromised North Carolina A&T University as the institution has appeared on the ransomware group’s victim site. The attack appeared to have occurred between March 7th to 11th, with the attacks taking advantage of the smaller staff during the university’s spring break vacation. As reported by The Record the attack inhibited network communications that include “wireless connections, Blackboard instruction, single sign-on websites, VPN, Jabber, Qualtrics, Banner Document Management and Chrome River. Some of the services are still down.” In addition, personal information was also compromised includes social security numbers, financial data, SQL and email database information. The university is still recovering from the attack with services slowly being restored however the impact has affected students as some are unable to complete class assignments or participate in class with sessions being canceled due to the ongoing issues.

Cisco Talso Analyzes BlackCat RaaS

March 22, 2022

Cisco Talso Analyzes BlackCat RaaS

Industry: N/A | Level: Tactical | Source: Cisco Talos

Cisco Talos reports of BlackCat (aka ALPHV), the notorious Ransomware-as-a-Service (Raas) group, appearing in the cyber threat landscape since November 2021. The threat group has since compromised many companies globally, with over 30% based in the US. Initially thought to be a rebrand of Blackmatter and Darkside ransomware groups, it was identified to be false. An interview conducted by Recorded Future with a BlackCat representative, shared the BlackCat group consists of many affiliates. With some affiliates from BlackMatter and DarkSide. An attack flow was discovered by Cisco Talos, analysis from BlackCat’s campaign in September and December with overlaps in TTP. As stated by Cisco Talos “In terms of attack flow, the attacks were similar to other human-operated ransomware attacks: initial compromise, followed by an exploration and data exfiltration phase, then attack preparation and finally, the attack execution.”

  • Anvilogic Use Cases:
    • Alternate Data Streams
    • Create/Modify Schtasks
    • Registry key added with reg.exe
    • Tunnel connection on local host
    • Rundll32 Command Line
    • Common LSASS Memory Dump Behavior
    • ProcDump Credential Harvest
    • comsvcs.dll Lsass Memory Dump
    • Windows Admin$ Share Access
    • Impacket/Empire’s WMIExec
    • Windows Firewall Rule Creation

Ransomware Targets European Oil and Chemical Sectors

February 08, 2022

Reported from The Record, a series of ransomware attacks have been targeting oil and chemical suppliers in Belgium, Netherlands and Germany. While the attacks aren’t identified as being linked, European officials investigating the matter have associated the attacks to BlackCat and Conti ransomware groups.

Moncler – Ransomware Attack

January 25, 2022

Moncler – Ransomware Attack

Industry: Retail | Level: Strategic | Source: DocumentCloud – Moncler

In December 2021, Italian fashion giant Moncler, disclosed a data breach due to a ransomware attack from AlphV/BlackCat. The attack disrupted operations with a temporary outage and shipments having to be prioritized once logistic systems were reactivated. Data types associated with the stolen data are unknown however, Moncler confirms it relates to customers, employees, former employees, suppliers, consultants, and business partners. The company also confirms that payment information has not been compromised. Ransomware payment were rejected by Moncler citing it will “be against its founding principals.”

ALPHV/BlackCat ransomware – Technical Information from Symantec

December 21, 2021

ALPHV/BlackCat ransomware – Technical Information from Symantec

Industry: N/A | Level: Operational | Source: Symantec

Emerging ALPHV/BlackCat ransomware, written in the Rust programming language, was examined by Symantec. An observed attack chain identified suspicious activity on a victim network on November 3rd, 2021 leading to the ransomwares deployment on November 18th. Initial activity on November 3rd started with suspicious SMB requests followed by a registry dump of the Local Security Authority (LSA). Shortly after, PsExec was executed it launched a command prompt disabling ‘RestrictedAdmin mode’ in the registry. The activity was silent until November 18th when PsExec disabled Windows Defender with PowerShell and added “*.exe” to an AV exclusion list. The ransomware was then deployed using PsExec. Symantec’s review of the samples identified the attack was specifically targeted at the victim organization as “victim’s administrative credentials are embedded as part of the configuration block”.

  • Anvilogic Scenario: Initial ALPHV/BlackCat Ransomware – Behaviors
  • Anvilogic Use Cases:
    • ProcDump Credential Harvest
    • Task Manager lsass Dump
    • Remote Admin Tools
    • Registry key added with reg.exe