The ALPHV, also known as the Blackcat ransomware gang, is targeting US healthcare systems, according to a joint cybersecurity advisory by the FBI, CISA, and the Department of Health and Human Services (SSH).
The advisory, which was published as part of the #StopRansomware effort that publishes advisories against various ransomware variants and actors, also detailed new TTPs the group has been implementing since its return from a global law enforcement takedown in Dec 2023.
BlackCat, also tracked as Noberus, is a Russia-based threat actor group that primarily operates a ransomware-as-a-service (RaaS) model written in the Rust programming language. The group first surfaced in Nov 2021 as a possible rebranding of Darkside, the ransomware actor responsible for the Aug 2020 cyberattack on Georgia-based Colonial Pipeline.
The gang, known to use social engineering techniques and open source research on a company to gain initial access, is likely using the actively exploited, critical ScreenConnect authentication bypass vulnerability as a new infection method, the advisory’s indicators of compromise (IOCs) confirm.
“After gaining access to a victim network, ALPHV Blackcat affiliates deploy remote access software such as AnyDesk, Mega sync, and Splashtop in preparation of data exfiltration,” the advisory said. “ALPHV Blackcat affiliates claim to use Brute Ratel C4 and Cobalt Strike as beacons to command and control servers. (They) also use the open-source adversary-in-the-middle attack framework Evilginx2, which allows them to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies.”
After a coordinated takedown by authorities in Dec 2023, which allowed the FBI to develop a decryptor and offer 500 BlackCat victims to restore their systems, the group quickly regained access to seized servers and sites and shifted operations to a new Tor leak site.