StopRansomware ALPHV Blackcat CISA
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppFree Cyber Servicesprotect2024Secure Our WorldShields UpReport A Cyber IssueppSearchppppFree Cyber Servicesprotect2024Secure Our WorldShields UpReport A Cyber IssueppNote This joint Cybersecurity Advisory CSA is part of an ongoing StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors These StopRansomware advisories include recently and historically observed tactics techniques and procedures TTPs and indicators of compromise IOCs to help organizations protect against ransomware Visit stopransomwaregov to see all StopRansomware advisories and to learn more about other ransomware threats and nocost resourcesppThe Federal Bureau of Investigation FBI the Cybersecurity and Infrastructure Security Agency CISA and the Department of Health and Human Services HHS are releasing this joint CSA to disseminate known IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service RaaS identified through FBI investigations as recently as February 2024ppThis advisory provides updates to the FBI FLASH BlackCatALPHV Ransomware Indicators of Compromise released April 19 2022 and to this advisory released December 19 2023 ALPHV Blackcat actors have since employed improvised communication methods by creating victimspecific emails to notify of the initial compromise Since midDecember 2023 of the nearly 70 leaked victims the healthcare sector has been the most commonly victimized This is likely in response to the ALPHV Blackcat administrators post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023ppFBI CISA and HHS encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidentsppIn February 2023 ALPHV Blackcat administrators announced the ALPHV Blackcat Ransomware 20 Sphynx update which was rewritten to provide additional features to affiliates such as better defense evasion and additional tooling This ALPHV Blackcat update has the capability to encrypt both Windows and Linux devices and VMWare instances ALPHV Blackcat affiliates have extensive networks and experience with ransomware and data extortion operationsppDownload the PDF version of this reportppFor a downloadable copy of IOCs seeppNote This advisory uses the MITRE ATTCK for Enterprise framework version 14 See the MITRE ATTCK Tactics and Techniques section for a table of the threat actors activity mapped to MITRE ATTCK tactics and techniques For assistance with mapping malicious cyber activity to the MITRE ATTCK framework see CISA and MITRE ATTCKs Best Practices for MITRE ATTCK Mapping and CISAs Decider ToolppALPHV Blackcat affiliates use advanced social engineering techniques and open source research on a company to gain initial access Actors pose as company IT andor helpdesk staff and use phone calls or SMS messages T1598 to obtain credentials from employees to access the target network T1586 ALPHV Blackcat affiliates use uniform resource locators URLs to livechat with victims to convey demands and initiate processes to restore the victims encrypted filesppAfter gaining access to a victim network ALPHV Blackcat affiliates deploy remote access software such as AnyDesk Mega sync and Splashtop in preparation of data exfiltration ALPHV Blackcat affiliates create a user account aadmin and use Kerberos token generation for domain access T1558 After gaining access to networks they use legitimate remote access and tunneling tools such as Plink and Ngrok S0508 ALPHV Blackcat affiliates claim to use Brute Ratel C4 S1063 and Cobalt Strike S1054 as beacons to command and control servers ALPHV Blackcat affiliates use the open source adversaryinthemiddle attack T1557 framework Evilginx2 which allows them to obtain multifactor authentication MFA credentials login credentials and session cookies The actors also obtain passwords from the domain controller local network and deleted backup servers to move laterally throughout the network T1555ppTo evade detection affiliates employ allowlisted applications such as Metasploit Once installed on the domain controller the logs are cleared on the exchange server Then Meganz or Dropbox are used to move exfiltrate andor download victim data The ransomware is then deployed and the ransom note is embedded as a filetxt According to public reporting affiliates have additionally used POORTRY and STONESTOP to terminate security processesppSome ALPHV Blackcat affiliates exfiltrate data after gaining access and extort victims without deploying ransomware After exfiltrating andor encrypting data ALPHV Blackcat affiliates communicate with victims via TOR S0183 Tox email or encrypted applications The threat actors then delete victim data from the victims systemppALPHV Blackcat affiliates offer to provide unsolicited cyber remediation advice as an incentive for payment offering to provide victims with vulnerability reports and security recommendations detailing how they penetrated the system and how to prevent future revictimization upon receipt of ransom payment The ALPHV Blackcat encryptor results in a file with the following naming convention RECOVERsevendigit extension FILEStxtpp944153fb9692634d6c70899b83676575ppALPHV Windows Encryptorpp pp341d43d4d5c2e526cadd88ae8da70c1cppAnti Virus Tools Killerpp363syspp34aac5719824e5f13b80d6fe23cbfa07ppCobaltStrike BEACONppLMtoolexeppeea9ab1f36394769d65909f6ae81834bppCobaltStrike BEACONppInfoexepp379bf8c60b091974f856f08475a03b04ppALPHV Linux Encryptorpphimppebca4398e949286cb7f7f6c68c28e838ppSimpleHelp Remote Management toolppfirstexeppc04c386b945ccc04627d1a885b500edfppTunneler Toolppconhostexepp824d0e31fd08220a25c06baee1044818ppAnti Virus Tools KillerppibmModuledllppeea9ab1f36394769d65909f6ae81834bppCobaltStrike BEACONppConnectivityDiagnosexepp944153fb9692634d6c70899b83676575ppALPHV Windows Encryptorpp7O3cCX9YcHMV2exepp61804a029e9b1753d58a6bf0274c25a6ppMeshCentral AgentppWPEHOSTSVC64exepp83deea3b61b6a734e7e4a566dbb6bffappScreenConnect attacker tools installerppdeployServiceexepp8738b8637a20fa65c6e64d84d1cfe570ppSuspected Proxy Toolppsocks32exeppc64300cf8bacc4e42e74715edf3f8c3287a780c9c0a38b0d9675d01e7e231f16ppALPHV Windows Encryptorpp1f5e4e2c78451623cfbf32cf517a92253b7abfe0243297c5ddf7dd1448e460d5ppAnti Virus Tools Killerpp3670dd4663adca40f168f3450fa9e7e84bc1a612d78830004020b73bd40fcd71ppCobaltStrike BEACONppaf28b78c64a9effe3de0e5ccc778527428953837948d913d64dbd0fa45942021ppCobaltStrike BEACONppbbfe7289de6ab1f374d0bcbeecf31cad2333b0928ea883ca13b9e733b58e27b1ppALPHV Linux Encryptorpp5d1df950b238825a36fa6204d1a2935a5fbcfe2a5991a7fc69c74f476df67905ppSimpleHelp Remote Management toolppbd9edc3bf3d45e3cdf5236e8f8cd57a95ca3b41f61e4cd5c6c0404a83519058eppTunneler Toolpp732e24cb5d7ab558effc6dc88854f756016352c923ff5155dcb2eece35c19bc0ppAnti Virus Tools Killerpp3dd0f674526f30729bced4271e6b7eb0bb890c52ppALPHV Windows Encryptorppd6d442e8b3b0aef856ac86391e4a57bcb93c19adppAnti Virus Tools Killerpp6b52543e4097f7c39cc913d55c0044fcf673f6fcppCobaltStrike BEACONpp004ba0454feb2c4033ff0bdb2ff67388af0c41b6ppCobaltStrike BEACONpp430bd437162d4c60227288fa6a82cde8a5f87100ppSimpleHelp Remote Management toolpp1376ac8b5a126bb163423948bd1c7f861b4bfe32ppTunneler Toolpp380f941f8047904607210add4c6da2da8f8cd398ppAnti Virus Tools KillerppDomainppresourcesdocusongcomppCommand and Control ServerppDomainppFisa99screenconnectcomppScreenConnect Remote AccessppIP Addresspp519916824ppCommand and Control ServerppIP Addresspp9192254193ppSimpleHelp Remote AccessppDomainpppcrendalcomppCommand and Control ServerppDomainppinstanceqqemasrelayscreenconnectcomppScreenConnect Remote AccessppDomainppinstancerbjvwsrelayscreenconnectcomppScreenConnect Remote AccessppIP Addresspp5199168233ppIP Address used by Threat ActorppIP Addresspp922238955ppIP Address used by Threat ActorppIP Addresspp18519559218ppIP Address used by Threat ActorppIP Addresspp51159103112ppIP Address used by Threat ActorppIP Addresspp4532141168ppCommand and Control ServerppIP Addresspp4577092ppCommand and Control ServerppSee Table 5 through Table 7 for all referenced threat actor tactics and techniques in this advisoryppPhishing for InformationppT1598ppALPHV Blackcat affiliates pose as company IT andor helpdesk staff using phone calls or SMS messages to obtain credentials from employees to access the target networkppCompromise AccountsppT1586ppALPHV Blackcat affiliates use compromised accounts to gain access to victims networksppObtain Credentials from Passwords StoresppT1555ppALPHV Blackcat affiliates obtain passwords from local networks deleted servers and domain controllersppAdversaryintheMiddleppT1557ppALPHV BlackcatALPHV affiliates use the opensource framework Evilginx2 to obtain MFA credentials login credentials and session cookies for targeted networksppIf compromise is detected organizations shouldppThese mitigations apply to all critical infrastructure organizations and network defenders FBI CISA and HHS recommend that software manufactures incorporate secure by design principles and tactics into their software development practices limiting the impact of ransomware techniques thus strengthening the security posture for their customersppFor more information on secure by design see CISAs Secure by Design webpage and joint guideppFBI CISA and HHS recommend organizations implement the mitigations below to improve your organizations cybersecurity posture based on threat actor activity and to reduce the risk of compromise by ALPHV Blackcat threat actors These mitigations align with the CrossSector Cybersecurity Performance Goals CPGs developed by CISA and the National Institute of Standards and Technology NIST The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats tactics techniques and procedures Visit CISAs CrossSector Cybersecurity Performance Goals for more information on the CPGs including additional recommended baseline protections Due to the threat ALPHV Blackcats poses in the healthcare sector healthcare organizations can look to the Healthcare and Public Health HPH Sector Cybersecurity Performance Goals to implement cybersecurity protections against the most common threats tactics techniques and procedures used against this sectorppIn addition to applying mitigations CISA recommends exercising testing and validating your organizations security program against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory CISA recommends testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppCISA and FBI recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppThe information in this report is being provided as is for informational purposes only FBI CISA and HHS do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by FBI CISA and HHSppDecember 19 2023 Initial version
February 27 2024 UpdateppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppFree Cyber Servicesprotect2024Secure Our WorldShields UpReport A Cyber IssueppSearchppppFree Cyber Servicesprotect2024Secure Our WorldShields UpReport A Cyber IssueppNote This joint Cybersecurity Advisory CSA is part of an ongoing StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors These StopRansomware advisories include recently and historically observed tactics techniques and procedures TTPs and indicators of compromise IOCs to help organizations protect against ransomware Visit stopransomwaregov to see all StopRansomware advisories and to learn more about other ransomware threats and nocost resourcesppThe Federal Bureau of Investigation FBI the Cybersecurity and Infrastructure Security Agency CISA and the Department of Health and Human Services HHS are releasing this joint CSA to disseminate known IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service RaaS identified through FBI investigations as recently as February 2024ppThis advisory provides updates to the FBI FLASH BlackCatALPHV Ransomware Indicators of Compromise released April 19 2022 and to this advisory released December 19 2023 ALPHV Blackcat actors have since employed improvised communication methods by creating victimspecific emails to notify of the initial compromise Since midDecember 2023 of the nearly 70 leaked victims the healthcare sector has been the most commonly victimized This is likely in response to the ALPHV Blackcat administrators post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023ppFBI CISA and HHS encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidentsppIn February 2023 ALPHV Blackcat administrators announced the ALPHV Blackcat Ransomware 20 Sphynx update which was rewritten to provide additional features to affiliates such as better defense evasion and additional tooling This ALPHV Blackcat update has the capability to encrypt both Windows and Linux devices and VMWare instances ALPHV Blackcat affiliates have extensive networks and experience with ransomware and data extortion operationsppDownload the PDF version of this reportppFor a downloadable copy of IOCs seeppNote This advisory uses the MITRE ATTCK for Enterprise framework version 14 See the MITRE ATTCK Tactics and Techniques section for a table of the threat actors activity mapped to MITRE ATTCK tactics and techniques For assistance with mapping malicious cyber activity to the MITRE ATTCK framework see CISA and MITRE ATTCKs Best Practices for MITRE ATTCK Mapping and CISAs Decider ToolppALPHV Blackcat affiliates use advanced social engineering techniques and open source research on a company to gain initial access Actors pose as company IT andor helpdesk staff and use phone calls or SMS messages T1598 to obtain credentials from employees to access the target network T1586 ALPHV Blackcat affiliates use uniform resource locators URLs to livechat with victims to convey demands and initiate processes to restore the victims encrypted filesppAfter gaining access to a victim network ALPHV Blackcat affiliates deploy remote access software such as AnyDesk Mega sync and Splashtop in preparation of data exfiltration ALPHV Blackcat affiliates create a user account aadmin and use Kerberos token generation for domain access T1558 After gaining access to networks they use legitimate remote access and tunneling tools such as Plink and Ngrok S0508 ALPHV Blackcat affiliates claim to use Brute Ratel C4 S1063 and Cobalt Strike S1054 as beacons to command and control servers ALPHV Blackcat affiliates use the open source adversaryinthemiddle attack T1557 framework Evilginx2 which allows them to obtain multifactor authentication MFA credentials login credentials and session cookies The actors also obtain passwords from the domain controller local network and deleted backup servers to move laterally throughout the network T1555ppTo evade detection affiliates employ allowlisted applications such as Metasploit Once installed on the domain controller the logs are cleared on the exchange server Then Meganz or Dropbox are used to move exfiltrate andor download victim data The ransomware is then deployed and the ransom note is embedded as a filetxt According to public reporting affiliates have additionally used POORTRY and STONESTOP to terminate security processesppSome ALPHV Blackcat affiliates exfiltrate data after gaining access and extort victims without deploying ransomware After exfiltrating andor encrypting data ALPHV Blackcat affiliates communicate with victims via TOR S0183 Tox email or encrypted applications The threat actors then delete victim data from the victims systemppALPHV Blackcat affiliates offer to provide unsolicited cyber remediation advice as an incentive for payment offering to provide victims with vulnerability reports and security recommendations detailing how they penetrated the system and how to prevent future revictimization upon receipt of ransom payment The ALPHV Blackcat encryptor results in a file with the following naming convention RECOVERsevendigit extension FILEStxtpp944153fb9692634d6c70899b83676575ppALPHV Windows Encryptorpp pp341d43d4d5c2e526cadd88ae8da70c1cppAnti Virus Tools Killerpp363syspp34aac5719824e5f13b80d6fe23cbfa07ppCobaltStrike BEACONppLMtoolexeppeea9ab1f36394769d65909f6ae81834bppCobaltStrike BEACONppInfoexepp379bf8c60b091974f856f08475a03b04ppALPHV Linux Encryptorpphimppebca4398e949286cb7f7f6c68c28e838ppSimpleHelp Remote Management toolppfirstexeppc04c386b945ccc04627d1a885b500edfppTunneler Toolppconhostexepp824d0e31fd08220a25c06baee1044818ppAnti Virus Tools KillerppibmModuledllppeea9ab1f36394769d65909f6ae81834bppCobaltStrike BEACONppConnectivityDiagnosexepp944153fb9692634d6c70899b83676575ppALPHV Windows Encryptorpp7O3cCX9YcHMV2exepp61804a029e9b1753d58a6bf0274c25a6ppMeshCentral AgentppWPEHOSTSVC64exepp83deea3b61b6a734e7e4a566dbb6bffappScreenConnect attacker tools installerppdeployServiceexepp8738b8637a20fa65c6e64d84d1cfe570ppSuspected Proxy Toolppsocks32exeppc64300cf8bacc4e42e74715edf3f8c3287a780c9c0a38b0d9675d01e7e231f16ppALPHV Windows Encryptorpp1f5e4e2c78451623cfbf32cf517a92253b7abfe0243297c5ddf7dd1448e460d5ppAnti Virus Tools Killerpp3670dd4663adca40f168f3450fa9e7e84bc1a612d78830004020b73bd40fcd71ppCobaltStrike BEACONppaf28b78c64a9effe3de0e5ccc778527428953837948d913d64dbd0fa45942021ppCobaltStrike BEACONppbbfe7289de6ab1f374d0bcbeecf31cad2333b0928ea883ca13b9e733b58e27b1ppALPHV Linux Encryptorpp5d1df950b238825a36fa6204d1a2935a5fbcfe2a5991a7fc69c74f476df67905ppSimpleHelp Remote Management toolppbd9edc3bf3d45e3cdf5236e8f8cd57a95ca3b41f61e4cd5c6c0404a83519058eppTunneler Toolpp732e24cb5d7ab558effc6dc88854f756016352c923ff5155dcb2eece35c19bc0ppAnti Virus Tools Killerpp3dd0f674526f30729bced4271e6b7eb0bb890c52ppALPHV Windows Encryptorppd6d442e8b3b0aef856ac86391e4a57bcb93c19adppAnti Virus Tools Killerpp6b52543e4097f7c39cc913d55c0044fcf673f6fcppCobaltStrike BEACONpp004ba0454feb2c4033ff0bdb2ff67388af0c41b6ppCobaltStrike BEACONpp430bd437162d4c60227288fa6a82cde8a5f87100ppSimpleHelp Remote Management toolpp1376ac8b5a126bb163423948bd1c7f861b4bfe32ppTunneler Toolpp380f941f8047904607210add4c6da2da8f8cd398ppAnti Virus Tools KillerppDomainppresourcesdocusongcomppCommand and Control ServerppDomainppFisa99screenconnectcomppScreenConnect Remote AccessppIP Addresspp519916824ppCommand and Control ServerppIP Addresspp9192254193ppSimpleHelp Remote AccessppDomainpppcrendalcomppCommand and Control ServerppDomainppinstanceqqemasrelayscreenconnectcomppScreenConnect Remote AccessppDomainppinstancerbjvwsrelayscreenconnectcomppScreenConnect Remote AccessppIP Addresspp5199168233ppIP Address used by Threat ActorppIP Addresspp922238955ppIP Address used by Threat ActorppIP Addresspp18519559218ppIP Address used by Threat ActorppIP Addresspp51159103112ppIP Address used by Threat ActorppIP Addresspp4532141168ppCommand and Control ServerppIP Addresspp4577092ppCommand and Control ServerppSee Table 5 through Table 7 for all referenced threat actor tactics and techniques in this advisoryppPhishing for InformationppT1598ppALPHV Blackcat affiliates pose as company IT andor helpdesk staff using phone calls or SMS messages to obtain credentials from employees to access the target networkppCompromise AccountsppT1586ppALPHV Blackcat affiliates use compromised accounts to gain access to victims networksppObtain Credentials from Passwords StoresppT1555ppALPHV Blackcat affiliates obtain passwords from local networks deleted servers and domain controllersppAdversaryintheMiddleppT1557ppALPHV BlackcatALPHV affiliates use the opensource framework Evilginx2 to obtain MFA credentials login credentials and session cookies for targeted networksppIf compromise is detected organizations shouldppThese mitigations apply to all critical infrastructure organizations and network defenders FBI CISA and HHS recommend that software manufactures incorporate secure by design principles and tactics into their software development practices limiting the impact of ransomware techniques thus strengthening the security posture for their customersppFor more information on secure by design see CISAs Secure by Design webpage and joint guideppFBI CISA and HHS recommend organizations implement the mitigations below to improve your organizations cybersecurity posture based on threat actor activity and to reduce the risk of compromise by ALPHV Blackcat threat actors These mitigations align with the CrossSector Cybersecurity Performance Goals CPGs developed by CISA and the National Institute of Standards and Technology NIST The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats tactics techniques and procedures Visit CISAs CrossSector Cybersecurity Performance Goals for more information on the CPGs including additional recommended baseline protections Due to the threat ALPHV Blackcats poses in the healthcare sector healthcare organizations can look to the Healthcare and Public Health HPH Sector Cybersecurity Performance Goals to implement cybersecurity protections against the most common threats tactics techniques and procedures used against this sectorppIn addition to applying mitigations CISA recommends exercising testing and validating your organizations security program against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory CISA recommends testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppCISA and FBI recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppThe information in this report is being provided as is for informational purposes only FBI CISA and HHS do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by FBI CISA and HHSppDecember 19 2023 Initial version
February 27 2024 UpdateppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
