Detect ALPHA SPIDER Ransomware Attacks: TTPs Leveraged by ALPHV aka BlackCat RaaS Operators
Table of contents:
Ransomware remains a top threat to organizations globally, with a constant surge in the volume and sophistication of attacks. Among key players in the ransomware arena, the ALPHA SPIDER group stands out by taking credit for a series of recent high-profile attacks targeting the U.S. healthcare payment software processor Change and MGM gaming industry giant. In view of the ALPHA SPIDER poses a significant menace due to its massive presence in the cyber realm, the U.S. Department of Justice announced an international law enforcement operation aimed to seize ALPHV (aka BlackCat) operations which was followed by a detailed CISA advisory within the #StopRansomware initiative.
Detec ALPHA SIDER (aka ALPHV, BlackCat) Ransomware Attacks
After it first emerged in early 2020s, ALPHA SPIDER promptly self-declared as a new ransomware-as-a-service (RaaS) leader, driving a lot of attention due to multiple high-profile targets, sophisticated malicious capabilities, and generous offering for the affiliates.
To stay ahead of potential ALPHV attacks, cyber defenders require advanced threat detection and hunting tools enriched with curated detection alogorithms addressing adversaries’ TTPs. SOC Prime Platform aggregates a set of relevant Sigma rules compatible with 28 SIEM, EDR, XDR, and Data Lake technologies to identify malicious activity associated with ALPHV aka BlackCat.
Just hit the Explore Detections button below and immediately drill down to the extensive detection stack to identify TTPs related to the latest ALPHA SPIDER campaigns. All the rules are mapped to MITRE ATT&CK framework v14.1 and enriched with detailed threat intelligence.
To streamline threat investigation and boost SOC operations, security professionals might access broader collection of Sigma rules addressing related malicious activity by searching SOC Prime by “ALPHV” and “BlackCat” tags.
Alphv/BlackCat Ransomware Attack Analysis
The nefarious ALPHV (BlackCat, ALPHA SPIDER) ransomware operators have been in the spotlight in the cyber threat realm since late fall 2021, setting their eyes on a wide range of industry verticals and continuously enriching their adversary toolkit. BlackCat is believed to be the next generation of the DarkSide or BlackMatter ransomware gangs, indicating a sophisticated level of expertise and skillset of its affiliates. Over the last year, ALPHV hackers have been observed employing a set of new adversary techniques and innovative methods as components of their ransomware activities.
The ALPHV RaaS stands out for being written in the Rust programming language and provides a range of capabilities aimed at enticing advanced affiliates. The latter include ransomware variants that target multiple operating systems, a highly customizable variant for detection evasion, a searchable database hosted on a clear web domain, a dedicated leak site, and integration of a Bitcoin mixer into affiliate panels. According to the latest CrowdStrike research, Alphv operators have leveraged Linux versions of Cobalt Strike and SystemBC to conduct reconnaissance of VMware ESXi servers before initiating ransomware deployment.
ALPHV/BlackCat is a highly prolific ransomware gang that has taken credit for a number of high-profile attacks, such as those against gaming giant MGM Resorts and healthcare payment software provider Change Healthcare. The latest attack conducted last month has resulted in major service disruptions for healthcare organizations such as pharmacies.
At the early attack stage, ALPHV affiliates exploit a couple of vulnerabilities identified as CVE-2021-44529 and CVE-2021-40347 for initial access and persistence within the targeted network. Later on, adversaries employ Nmap, the nefarious network scanning utility, to carry out network discovery operations, along with specific Nmap scripts to perform a targeted vulnerability scan. They also have been observed attempting to weaponize another RCE vulnerability tracked as CVE-2021-21972 and delve into further network reconnaissance activities. Moreover, ALPHV abused the Veeam backup tool following their initial lateral movement and took advantage of the Veeam Credential Recovery PowerShell script to steal user credentials directly from the Veeam database.
With the growing volumes of ransomware attacks targeting the healthcare sector, the U.S. Department of Health and Human Services’ OCR recently released a letter addressing the cybersecurity incident affecting Change Healthcare, along with numerous other healthcare entities, which is aimed at raising cybersecurity awareness across this industry sector highly vulnerable to ransomware attacks. Over the last half of the decade, there has been a 264% increase in ransomware attacks reported to OCR, which fuels the need for strengthening proactive defensive capabilities within U.S. healthcare organizations.
With an increasing number of trends and more sophisticated intrusions, ransomware has been the top challenge for most organizations since 2021, including large-scale enterprises. Leveraging Attack Detective, finding ransomware attacks and timely identifying potential intrusions is getting faster, easier, and more efficient. Rely on the system that ensures comprehensive visibility of your attack surface and delivers behavior-based detection algorithms or IOCs tailored to your security solution in use without moving your data, backed by ATT&CK acting as a central correlation algorithm.