US healthcare alerted against BlackCat amid targeted attacks
The ALPHV, also known as the BlackCat ransomware gang, is targeting US healthcare systems, according to a joint cybersecurity advisory by the FBI, CISA, and the Department of Health and Human Services (SSH).
The advisory, which was published as part of the #StopRansomware effort that publishes advisories against various ransomware variants and actors, also detailed new TTPs the group has been implementing since its return from a global law enforcement takedown in Dec 2023.
BlackCat, also tracked as Noberus, is a Russia-based threat actor group that primarily operates a ransomware-as-a-service (RaaS) model written in the Rust programming language. The group first surfaced in November 2021 as a possible rebranding of Darkside, the ransomware actor responsible for the August 2020 cyberattack on Georgia-based Colonial Pipeline.
The gang, known to use social engineering techniques and open source research on a company to gain initial access, is likely using the actively exploited, critical ScreenConnect authentication bypass vulnerability as a new infection method, the advisory’s indicators of compromise (IOCs) confirm.
“After gaining access to a victim network, ALPHV Blackcat affiliates deploy remote access software such as AnyDesk, Mega sync, and Splashtop in preparation of data exfiltration,” the advisory said. “ALPHV Blackcat affiliates claim to use Brute Ratel C4 and Cobalt Strike as beacons to command and control servers. (They) also use the open-source adversary-in-the-middle attack framework Evilginx2, which allows them to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies.”
In early 2023, the gang spun out an update to its RasS with improved encryption and evasion features. “In February 2023, ALPHV Blackcat administrators announced the ALPHV Blackcat Ransomware 2.0 Sphynx update, which was rewritten to provide additional features to affiliates, such as better defense evasion and additional tooling,” the advisory said. “This ALPHV Blackcat update has the capability to encrypt both Windows and Linux devices, and VMWare instances.”
