The FBI has issued a warning on the lethal Blackcat/ALPHV ransomware as a service (RaaS), which is currently on prowl. The malware family was responsible for compromising accounts spanning over sixty organizations, with attacks spanning from November 2021 till March this year.
In their flash report, the FBI detailed the indicators of compromise (IOC) and tactics, techniques and procedures (TTPs), mitigation strategies pertaining to a Blackcat ransomware attack. They noted that the malware “leverages previously compromised user credentials to gain initial access to the victim system. Once the malware establishes access, it compromises Active Directory user and administrator accounts.
The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial deployment of the malware leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise.”
The disclosure came in the aftermath of the reports published by Cisco Talos and Kaspersky, which revealed the nexus between BlackCat and BlackMatter ransomware families. On April 22, the analysis of a recent Blackcat ransomware incident conducted by Forescout’s Vedere Labs revealed that their attack featured two unique exploitations:
- Breaching an Internet-exposed SonicWall firewall to gain unauthorized access to a network.
- Shifting to and encrypting a VMware ESXi virtual farm
For mitigations the FBI recommended periodic data backups and reviewing of domain controllers, servers, active directory for unauthorized user accounts among other techniques.