The BlackCat (ALPHV) ransomware group has adopted a newapproach, leveraging pilfered Microsoft accounts in conjunction with the newlyidentified Sphynx encryption tool to lock down Azure cloud storage belonging totheir victims.
The BlackCat (ALPHV) ransomware group has adopted a new approach, leveraging pilfered Microsoft accounts in conjunction with the newly identified Sphynx encryption tool to lock down Azure cloud storage belonging to their victims.
During an examination of a recent security breach, experts from an incident response team found that the assailants had integrated a fresh variant of Sphynx. This updated version now includes the capability to utilise customised credentials, allowing them to exploit compromised Microsoft accounts.
After obtaining access to the Sophos Central account by pilfering a One-Time Password (OTP), the malicious actors proceeded to disable Tamper Protection and manipulate security policies. These actions were made feasible by absconding with the OTP, which they extracted from the victim's LastPass vault using the LastPass Chrome extension.
Following this, they initiated the encryption of the Sophos customer's systems and remote Azure cloud storage, affixing the .zk09cvt extension to all files they locked. In total, the ransomware operators were successful in encrypting 39 Azure Storage accounts.
To infiltrate the victim's Azure portal, they employed a stolen Azure key, which granted them access to the specific storage accounts they were targeting. These keys were incorporated into the ransomware binary after encoding them using Base64.
The attackers leveraged a variety of Remote Monitoring and Management (RMM) tools such as AnyDesk, Splashtop, and Atera throughout the course of the intrusion.
It's worth noting that the Sphynx variant was identified in March 2023 during an investigation into a data breach that exhibited similarities to another attack detailed in an IBM-Xforce report published in May. In both instances, the ExMatter tool was employed to extract pilfered data.
Microsoft recently discovered that the new Sphynx encryptor, as of the previous month, incorporates the Remcom hacking tool and the Impacket networking framework. These additions enhance its capability for lateral movement across compromised networks.
BlackCat/ALPHV, a ransomware operation that surfaced in November 2021, is believed to be a rebranding of DarkSide/BlackMatter.
Originally known as DarkSide, this group gained worldwide notoriety when it breached Colonial Pipeline, prompting immediate scrutiny from law enforcement agencies around the globe.
Despite rebranding as BlackMatter in July 2021, their operations came to an abrupt halt in November when authorities seized their servers and the security firm Emsisoft developed a decryption tool by exploiting a vulnerability in their ransomware.
This group has consistently earned a reputation as one of the most sophisticated and prominent ransomware organisations targeting global enterprises. They continuously adapt and refine their tactics.
For instance, last summer, they adopted a new extortion strategy, using a dedicated clear web website to publicly disclose the stolen data of specific victims. This allowed the victims' customers and employees to check if their data had been compromised.
More recently, in July, BlackCat introduced a data leak API designed to streamline the release of pilfered data.
This week, one of the gang's affiliates, claimed responsibility for the attack on MGM Resorts. They stated that they encrypted over 100 ESXi hypervisors after the company took down its internal infrastructure and refused to negotiate a ransom payment.
In April a warning was issued, pointing out that the group was responsible for successful breaches of more than 60 entities worldwide between November 2021 and March 2022.
