In recent years, the Russian-based ALPHV ransomware group, also known as BlackCat, Noberus, Gold Blazer, and Alpha Spider, has emerged as a formidable cyber threat, targeting organizations worldwide and operating with a ransomware-as-a-service (RaaS) business model. With their advanced tactics and persistent attacks, ALPHV has become a significant player in the ransomware landscape targeting over 400 victims and demanding ransoms ranging from $400,000 to $3 million in cryptocurrency.
ALPHV ransomware has continued to grow for a variety of reasons since 2021; however, a large contributor to this growth is the marketing strategy utilized. ALPHV will allow affiliates to use their ransomware and keep 80-90% of the ransom with the remainder going to ALPHV, continuing the growth of their notoriety.
The ransomware itself is coded using the Rust programming language and is believed to be the first ransomware developed that uses Rust. The utilization of Rust programming language empowers ALPHV to effortlessly compile it for different operating system architectures. With its extensive array of native options, Rust offers a high level of customization, enabling attackers to pivot and personalize their attacks effectively.
Utilizing the RaaS model, many threat actors, including ALPHV, will leverage the double-extortion technique, which implements two methods of attack. The double-extortion kill chain typically follows:
Initial Breach: During this phase, the attacker successfully infiltrates the target’s systems using varying methods such as an exploited vulnerability, phishing attempt, brute force, stolen credentials to utilize remote desktop protocol, etc.
Network Reconnaissance and Lateral Movement: The threat actor conducts an assessment of the network’s security measures to identify potential detection points. Once undetected, the attacker navigates through different parts of the network, gaining access to various resources.
Data Exfiltration (Extortion Tactic #1): In the first stage of double extortion, the attacker extracts data from the compromised device without immediately demanding a ransom. The user remains unaware of their data being held hostage at this point.
Ransomware Deployment (Extortion Tactic #2): At this crucial stage of all ransomware attacks, the deployed ransomware encrypts the victim’s data, rendering it inaccessible. The user’s system is locked, and a ransom demand is prepared.
DDoS Attack on Site or Network: In this phase, the attacker notifies the user of the ongoing attack on their system. The victim is provided with instructions on how to pay the ransom to regain access to their encrypted data.
Publish Data: If the ransom is not paid, the attacker will post sensitive data, credentials, and other valued information on a name-and-shame blog utilized by the attacker.
Organizations wanting to mitigate the risks associated with ALPHV and similar ransomware groups should adopt a proactive and multi-layered approach. This includes regular employee training on identifying phishing attempts, implementing robust network security measures, regularly patching and updating software, and maintaining secure backups of critical data.