Fortis Security Advisory: BlackCat/ALPHV
The FBI has released a flash communication to the community sharing indicators of compromise and known tactics, techniques, and procedures associated with the BlackCat/ALPHV ransomware-as-a-service (RaaS) activity group. The Fortis team is reviewing this
list of indicators and performing targeted threat hunting in our customers’ environments based on the information provided in the FBI’s communication.
Activity Group Details
This ransomware family emerged in late 2021 and has documented affiliations with the well-known DarkSide/BlackMatter group. The group is most recognized for their double extortion model of both encryption and threatening to leak stolen information if
the ransom is not paid. The ransomware itself is programmed in the Rust language, allowing for quick compilation and encryption as well as the ability to use it against various operating systems. It has affected both Windows and Linux environments. The
group has primarily targeted U.S.-based victims in the following industry verticals: construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components, and pharmaceuticals.
Fortis ActiveDefense Detection Coverage
Based on the tactics and techniques listed in the advisory as well as additional community information, the current coverage through the Fortis ActiveDefense platform includes behavioral alerting for this group’s key indicators of attack such as
scheduled task creation and persistence, detection of new or unusual administrator account creation or modification, comprehensive coverage for suspicious use of PowerShell, volume shadow deletion, and account or system discovery techniques. The Fortis
by Sentinel SOC team is also performing dedicated threat hunting for this specific FBI flash communication. If any suspicious activity around these indicators of compromise is found, a SOC analyst will be in touch.
Next Steps
The Fortis Threat Intelligence team will continue to monitor this situation to identify and remediate any detection gaps we may have for alerting on this group’s activity. We recommend proactively blocking the IPs and ransomware hashes included
in this FBI threat brief.
Additional Recommendations and Best Practices
Review EDR configurations and ensure they are up to date, as well as enable any behavioral detection capabilities. As adversaries continue to use “living off the land” techniques by abusing trusted system components, these behavior-based detections
ensure greater capabilities against more sophisticated threats. Review the CISA “Shields Up!” advisory for additional recommendations to harden your environment against the rising threat of
ransomware attacks.
As the number of cyberattacks continues to increase at an exponential level, the Fortis team remains vigilant in our mission to stop breaches before they occur. We are fighting for you with 24x7x365 monitoring of your environment through our Security
Operations Center (SOC), Incident Response, and Threat Intelligence teams to help lower the time to detect and respond to active threats. Our Incident Response team is always ready to engage at (844) 297-4853.
References and Additional Reading:
CISA Shields Up Advisory: https://www.cisa.gov/shields-up
Full FBI Flash with Indicators: https://www.ic3.gov/Media/News/2022/220420.pdf
Additional Technical Details:
https://unit42.paloaltonetworks.com/blackcat-ransomware/
https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware