December 21, 2021

ALPHV/BlackCat ransomware – Technical Information from Symantec

Industry: N/A | Level: Operational | Source: Symantec

Emerging ALPHV/BlackCat ransomware, written in the Rust programming language, was examined by Symantec. An observed attack chain identified suspicious activity on a victim network on November 3rd, 2021 leading to the ransomwares deployment on November 18th. Initial activity on November 3rd started with suspicious SMB requests followed by a registry dump of the Local Security Authority (LSA). Shortly after, PsExec was executed it launched a command prompt disabling ‘RestrictedAdmin mode’ in the registry. The activity was silent until November 18th when PsExec disabled Windows Defender with PowerShell and added “*.exe” to an AV exclusion list. The ransomware was then deployed using PsExec. Symantec’s review of the samples identified the attack was specifically targeted at the victim organization as “victim’s administrative credentials are embedded as part of the configuration block”.

  • Anvilogic Scenario: Initial ALPHV/BlackCat Ransomware – Behaviors
  • Anvilogic Use Cases:
    • ProcDump Credential Harvest
    • Task Manager lsass Dump
    • Remote Admin Tools
    • Registry key added with reg.exe