Jump to content
  • Sign Up
×
×
  • Create New...

Recommended Posts

  • Diamond Member

New version of ALPHV/BlackCat ransomware hits victims

The ******* States’ Cybersecurity and Infrastructure Security Agency (CISA) has issued an updated advisory warning of a new version of the ALPHV/BlackCat ransomware locker, which it has observed targeting organisations in the US, mainly in the healthcare sector.

The new guidance, which is published alongside various law enforcement agencies and

This is the hidden content, please
, forms part of CISA’s ongoing #StopRansomware campaign.

ALPHV/BlackCat was

This is the hidden content, please
in December 2023, but the ransomware operators were quick to shrug off the impact on themselves and the crew’s affiliates, which include the group known as Scattered Spider/Octo Tempest, the operation behind the autumn 2023 Las Vegas cyber attacks.

The new advisory updates a number of previous ones, most recently issued at the time of the FBI takedown, and reveals that the ransomware gang has been taking steps to recover,

“ALPHV/BlackCat actors have since employed improvised communication methods by creating victim-specific emails to notify of the initial compromise,” the advisory notes.

“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimised. This is likely in response to the ALPHV/BlackCat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”

The advisory also details the release of the ALPHV/BlackCat 2.0 Sphynx update earlier in February. The new version of ALPHV/BlackCat has been rewritten to offer new features to affiliates, including better defence evasion capabilities and new tooling that lets it encrypt not just Windows and Linux devices, but also VMware environments.

ALPHV/BlackCat affiliates were previously notable for using advanced social engineering tactics to lay the groundwork for their ransomware attacks, often posing as the victim’s IT or helpdesk staff to obtain credentials, and this tactic does not seem to have changed.

After achieving access, the average affiliate uses a fairly standard playbook exploiting legitimate remote access tools and frameworks such as Brute Ratel and Cobalt Strike for command-and-control purposes, applications such as Metasploit to evade detection, and services such as Mega.nz and Dropbox to exfiltrate data prior to executing their locker.

Some affiliates have become exponents of the technique whereby no actual ransomware is deployed, and move straight to the data theft and extortion phase.

The advisory comes following

This is the hidden content, please
, a provider of payment and revenue management in ********* hospitals, which at the time of writing had disrupted pharmacy and other services in multiple parts of the country for over a week.

This ******* has been linked to ALPHV/BlackCat and there has been speculation that it may have arisen through exploitation of a critical zero-day in the ConnectWise ScreenConnect product.

“The cyber ******* on Change Healthcare, the largest healthcare payment exchange platform, has significantly impacted pharmacies nationwide, prompting the adoption of electronic workarounds,” Andrew Costis, chapter lead for

This is the hidden content, please
Adversary Research Team, told Computer Weekly via email.

“The vast amount of sensitive patient data stored within healthcare systems makes these organisations a dangerous target for ransomware groups, with the potential for far-reaching consequences. These attacks can cripple organisational operations and, more importantly, compromise patient health and safety. 

“Healthcare organisations must now prioritise validating their security controls against BlackCat’s TTPs as outlined in the ****** advisory leveraging the MITRE ATT&CK framework. By emulating the behaviours exhibited by BlackCat, organizations can assess their security postures and pinpoint any vulnerabilities. This proactive approach is essential to mitigate the risk of future attacks,” said Costis.



This is the hidden content, please

#version #ALPHVBlackCat #ransomware #hits #victims

This is the hidden content, please

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Vote for the server

    To vote for this server you must login.

    Jim Carrey Flirting GIF

  • Recently Browsing   0 members

    • No registered users viewing this page.

Important Information

Privacy Notice: We utilize cookies to optimize your browsing experience and analyze website traffic. By consenting, you acknowledge and agree to our Cookie Policy, ensuring your privacy preferences are respected.