The ALPHV, also referred to as the Blackcat ransomware gang, is focusing on US healthcare techniques, based on a joint cybersecurity advisory by the FBI, CISA, and the Division of Well being and Human Companies (SSH).
The advisory, which was revealed as a part of the #StopRansomware effort that publishes advisories towards numerous ransomware variants and actors, additionally detailed new TTPs the group has been implementing since its return from a international legislation enforcement takedown in Dec 2023.
BlackCat, additionally tracked as Noberus, is a Russia-based menace actor group that primarily operates a ransomware-as-a-service (RaaS) mannequin written within the Rust programming language. The group first surfaced in Nov 2021 as a attainable rebranding of Darkside, the ransomware actor answerable for the Aug 2020 cyberattack on Georgia-based Colonial Pipeline.
The gang, identified to make use of social engineering strategies and open supply analysis on an organization to achieve preliminary entry, is probably going utilizing the actively exploited, vital ScreenConnect authentication bypass vulnerability as a brand new an infection methodology, the advisory’s indicators of compromise (IOCs) affirm.
“After getting access to a sufferer community, ALPHV Blackcat associates deploy distant entry software program corresponding to AnyDesk, Mega sync, and Splashtop in preparation of information exfiltration,” the advisory stated. “ALPHV Blackcat associates declare to make use of Brute Ratel C4 and Cobalt Strike as beacons to command and management servers. (They) additionally use the open-source adversary-in-the-middle assault framework Evilginx2, which permits them to acquire multifactor authentication (MFA) credentials, login credentials, and session cookies.”
After a coordinated takedown by authorities in Dec 2023, which allowed the FBI to develop a decryptor and provide 500 BlackCat victims to revive their techniques, the group shortly regained entry to seized servers and websites and shifted operations to a brand new Tor leak web site.