Diamond Member Pelican Press 0 Posted March 16 Diamond Member Share Posted March 16 New version of ALPHV/BlackCat ransomware hits victims The ******* States’ Cybersecurity and Infrastructure Security Agency (CISA) has issued an updated advisory warning of a new version of the ALPHV/BlackCat ransomware locker, which it has observed targeting organisations in the US, mainly in the healthcare sector. The new guidance, which is published alongside various law enforcement agencies and This is the hidden content, please Sign In or Sign Up , forms part of CISA’s ongoing #StopRansomware campaign. ALPHV/BlackCat was This is the hidden content, please Sign In or Sign Up in December 2023, but the ransomware operators were quick to shrug off the impact on themselves and the crew’s affiliates, which include the group known as Scattered Spider/Octo Tempest, the operation behind the autumn 2023 Las Vegas cyber attacks. The new advisory updates a number of previous ones, most recently issued at the time of the FBI takedown, and reveals that the ransomware gang has been taking steps to recover, “ALPHV/BlackCat actors have since employed improvised communication methods by creating victim-specific emails to notify of the initial compromise,” the advisory notes. “Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimised. This is likely in response to the ALPHV/BlackCat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.” The advisory also details the release of the ALPHV/BlackCat 2.0 Sphynx update earlier in February. The new version of ALPHV/BlackCat has been rewritten to offer new features to affiliates, including better defence evasion capabilities and new tooling that lets it encrypt not just Windows and Linux devices, but also VMware environments. ALPHV/BlackCat affiliates were previously notable for using advanced social engineering tactics to lay the groundwork for their ransomware attacks, often posing as the victim’s IT or helpdesk staff to obtain credentials, and this tactic does not seem to have changed. After achieving access, the average affiliate uses a fairly standard playbook exploiting legitimate remote access tools and frameworks such as Brute Ratel and Cobalt Strike for command-and-control purposes, applications such as Metasploit to evade detection, and services such as Mega.nz and Dropbox to exfiltrate data prior to executing their locker. Some affiliates have become exponents of the technique whereby no actual ransomware is deployed, and move straight to the data theft and extortion phase. The advisory comes following This is the hidden content, please Sign In or Sign Up , a provider of payment and revenue management in ********* hospitals, which at the time of writing had disrupted pharmacy and other services in multiple parts of the country for over a week. This ******* has been linked to ALPHV/BlackCat and there has been speculation that it may have arisen through exploitation of a critical zero-day in the ConnectWise ScreenConnect product. “The cyber ******* on Change Healthcare, the largest healthcare payment exchange platform, has significantly impacted pharmacies nationwide, prompting the adoption of electronic workarounds,” Andrew Costis, chapter lead for This is the hidden content, please Sign In or Sign Up Adversary Research Team, told Computer Weekly via email. “The vast amount of sensitive patient data stored within healthcare systems makes these organisations a dangerous target for ransomware groups, with the potential for far-reaching consequences. These attacks can cripple organisational operations and, more importantly, compromise patient health and safety. “Healthcare organisations must now prioritise validating their security controls against BlackCat’s TTPs as outlined in the ****** advisory leveraging the MITRE ATT&CK framework. By emulating the behaviours exhibited by BlackCat, organizations can assess their security postures and pinpoint any vulnerabilities. This proactive approach is essential to mitigate the risk of future attacks,” said Costis. This is the hidden content, please Sign In or Sign Up #version #ALPHVBlackCat #ransomware #hits #victims This is the hidden content, please Sign In or Sign Up Link to comment https://hopzone.eu/forums/topic/3715-new-version-of-alphvblackcat-ransomware-hits-victims/ Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now