Rewterz Threat Alert – ALPHV Ransomware Gang Stole Over $300 Million from More Than 1000 Victims

Severity

High

Analysis Summary

The Federal Bureau of Investigation stated that the ALPHV/BlackCat ransomware gang has raked in more than $300 million in ransom payments from over 1000 victims worldwide until September 2023. The affiliates of this ransomware gang have extensive networks and lots of experience with data extortion and ransomware operations.

ALPHV/BlackCat emerged on the threat landscape over two years ago in November 2021 and is possibly a rebrand of the infamous DarkSide and BlackMatter ransomware operation. The group became well-known worldwide after it targeted Colonial Pipeline which led to deep investigation by big international law enforcement agencies. The FBI has previously associated the ransomware gang with more than 60 breaches that impacted organizations worldwide within the first four months of their activity, namely from November 2021 through March 2022.

On December 7 of this year, it was reported by researchers that ALPHV dark websites, like their Tor negotiation and data leak sites, went down and couldn’t be connected to. Then the Department of Justice confirmed by saying that the FBI took control of the ALPHV ransomware operation’s servers and monitored their activities as well as obtained decryption keys.

“Some ALPHV Blackcat affiliates exfiltrate data after gaining access and extort victims without deploying ransomware. After exfiltrating and/or encrypting data, ALPHV Blackcat affiliates communicate with victims via TOR, Tox, email, or encrypted applications,” reads the latest report by CISA.

To gain access to ALPHV’s backend affiliate panel, the FBI worked together with a confidential human source (CHS) who was given login credentials as an affiliate after they had an interview with the ransomware operators. Then, the FBI stealthily monitored the gang’s operations for months while also collecting decryption keys, allowing them to help more than 500 victims across the world to recover their files without paying any ransom, resulting in saving about $68 million.

It is not clear how the decryption keys were obtained since they wouldn’t have any way to access them just by using an affiliate’s backend credentials. It is possible that the FBI was able to exploit vulnerabilities that allowed for dumping the database or achieving further access to the ransomware gang’s server. The domain used for the gang’s data leak site was seized by the FBI and a banner was added stating it was a result of an international law enforcement operation, but a few hours later, ALPHV “unseized” the website and claimed that the FBI gained access to a data center that was hosting the gang’s servers. The gang also claimed in the message that they’ve breached at least 3,400 victims as of now.

Now the situation is that both ALPHV and the FBI possess the data leak website’s private keys and can take control of the domain from each other. Other cybercrime gangs are seeing it as an early holiday gift, especially with the LockBit ransomware group asking ALPHV affiliates to switch teams so they can continue to negotiate with victims.

About 75% of these compromised entities are from the U.S. The FBI and CISA have shared mitigation measures so critical infrastructure organizations and network defenders can reduce the impact and risks. It is highly recommended to enable multi-factor authentication (MFA) and to prioritize patching vulnerabilities that are actively exploited in the wild.

Impact

• File Encryption
• Data Exfiltration
• Financial Loss

Remediation

• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Keep your software up to date. Software updates often include security patches that can help to protect your systems from known vulnerabilities.
• Use strong passwords and multi-factor authentication. This will make it more difficult for attackers to gain access to your systems.
• Back up your data regularly. This will help you to recover if your systems are encrypted by ransomware
• Deploy robust endpoint security solutions, including antivirus, anti-malware, and intrusion detection systems, to detect and prevent threats like BlackCat ransomware.
• Immediately disconnect or isolate the compromised systems from the network to prevent the malware from spreading further. This may involve shutting down affected servers or segments of the network.
• Conduct a thorough investigation to determine the extent of the breach, including identifying which systems and data were compromised.
• Develop a long-term cybersecurity strategy to prevent future incidents, including investing in advanced threat detection and response capabilities