The FBI has released a flash communication to the community sharing indicators of compromise and known tactics, techniques, and procedures associated with the BlackCat/ALPHV ransomware-as-a-service (RaaS) activity group. The Fortis team is reviewing this list of indicators and performing targeted threat hunting in our customers’ environments based on the information provided in the FBI’s communication.

Activity Group Details

This ransomware family emerged in late 2021 and has documented affiliations with the well-known DarkSide/BlackMatter group. The group is most recognized for their double extortion model of both encryption and threatening to leak stolen information if the ransom is not paid.  The ransomware itself is programmed in the Rust language, allowing for quick compilation and encryption as well as the ability to use it against various operating systems. It has affected both Windows and Linux environments. The group has primarily targeted U.S.-based victims in the following industry verticals: construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components, and pharmaceuticals.

Fortis ActiveDefense Detection Coverage

Based on the tactics and techniques listed in the advisory as well as additional community information, the current coverage through the Fortis ActiveDefense platform includes behavioral alerting for this group’s key indicators of attack such as scheduled task creation and persistence, detection of new or unusual administrator account creation or modification, comprehensive coverage for suspicious use of PowerShell, volume shadow deletion, and account or system discovery techniques. The Fortis by Sentinel SOC team is also performing dedicated threat hunting for this specific FBI flash communication. If any suspicious activity around these indicators of compromise is found, a SOC analyst will be in touch.

Next Steps

The Fortis Threat Intelligence team will continue to monitor this situation to identify and remediate any detection gaps we may have for alerting on this group’s activity. We recommend proactively blocking the IPs and ransomware hashes included in this FBI threat brief.

Additional Recommendations and Best Practices

Review EDR configurations and ensure they are up to date, as well as enable any behavioral detection capabilities. As adversaries continue to use “living off the land” techniques by abusing trusted system components, these behavior-based detections ensure greater capabilities against more sophisticated threats. Review the CISA “Shields Up!” advisory for additional recommendations to harden your environment against the rising threat of ransomware attacks.

As the number of cyberattacks continues to increase at an exponential level, the Fortis team remains vigilant in our mission to stop breaches before they occur. We are fighting for you with 24x7x365 monitoring of your environment through our Security Operations Center (SOC), Incident Response, and Threat Intelligence teams to help lower the time to detect and respond to active threats. Our Incident Response team is always ready to engage at (844) 297-4853.

References and Additional Reading:

CISA Shields Up Advisory: https://www.cisa.gov/shields-up

Full FBI Flash with Indicators: https://www.ic3.gov/Media/News/2022/220420.pdf

Additional Technical Details:

https://unit42.paloaltonetworks.com/blackcat-ransomware/