The BlackCat ransomware team, previously known as ALPHV, is evolving its tactics, harnessing purloined Microsoft credentials and employing the recently detected Sphynx encryptor to compromise Azure cloud data.
Adapting with New Tools
During a deep dive into a recent security breach, the experts at Sophos X-Ops unearthed the culprits’ use of an enhanced Sphynx variant. This updated malware loader can accommodate unique login details. With an illicitly acquired One-Time Password (OTP) from the victim’s LastPass via its Chrome extension, they penetrated the Sophos Central account. Following their entry, they sidelined Tamper Protection and tweaked the security protocols. Their subsequent actions included encrypting both system data and Azure cloud storage of Sophos’ clients, branding the locked files with a .zk09cvt extension. Astonishingly, the BlackCat ransomware perpetrators managed to compromise 39 Azure Storage portfolios.
Sophisticated Breach Techniques
These cybercriminals found their way into the victim’s Azure dashboard by misusing a hijacked Azure key, which granted them entry to the desired storage accounts. This pilfered key, post Base64 encoding, was integrated within the ransomware’s binary code. Throughout this cyber assault, they utilized a variety of Remote Monitoring and Management (RMM) tools, such as AnyDesk, Splashtop, and Atera.
Earlier in March 2023, Sophos pinpointed the Sphynx variant while probing a data compromise eerily similar to another IBM-Xforce detailed incident from May. Both breaches used the ExMatter tool for data extraction. Moreover, a recent discovery by Microsoft revealed the incorporation of the Remcom hacking utility and the Impacket networking blueprint in the new Sphynx encryptor to aid in lateral spread within breached networks.
The Rise and Evolution of BlackCat Ransomware
Emerging onto the scene in November 2021, there’s a cloud of suspicion hinting BlackCat/ALPHV might be a successor to the DarkSide/BlackMatter identity. Originating as DarkSide, this collective catapulted into global focus post the notorious Colonial Pipeline hack, triggering immediate global investigative attention.
Post their shift to the BlackMatter name in July 2021, they faced a setback in November due to server seizures by law enforcers and a decryption tool release by Emsisoft, which leveraged a flaw in the ransomware. Yet, the BlackCat ransomware group remains an eminent threat, frequently innovating and polishing their modus operandi.
In a recent tactic, they leveraged a public web portal to disclose pilfered data, enabling the affected parties to ascertain their exposure. Additionally, to optimize their dissemination of hijacked information, BlackCat rolled out a data leak API this past July.
Just this week, one of their affiliate factions, identified as Scattered Spider, took responsibility for compromising MGM Resorts. The group proclaimed they encrypted over 100 ESXi hypervisors post MGM Resorts’ decision to shut down its internal infrastructure and dismiss ransom discussions.
As of last April, an FBI alert underlined the group’s involvement in over 60 successful cyber-attacks globally between November 2021 and March 2022.
Contact us to see how we can help with your IT and Security needs.
Like what you read? Follow us on Facebook, LinkedIn, Instagram, and Mastodon!