{"id":222523,"date":"2022-01-26T20:03:00","date_gmt":"2022-01-26T19:03:00","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=222523"},"modified":"2022-01-26T20:03:00","modified_gmt":"2022-01-26T19:03:00","slug":"alphv-ransomware-gang-analysis","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/alphv-ransomware-gang-analysis\/","title":{"rendered":"ALPHV ransomware gang analysis"},"content":{"rendered":"\n\n\n\n[et_pb_section][et_pb_row][et_pb_column type=\u00a0\u00bb4_4&Prime;][et_pb_text]<!-- divi:paragraph -->\n<p><strong>ALPHV<\/strong> (or <strong>BlackCat or Noberus<\/strong>) <strong>ransomware<\/strong> emerged only <strong>last December<\/strong> and is already considered as a <strong>genuine threat<\/strong> that blue teams should be ready to fight against while little is known on the employed entry vector(s).<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>This conjecture relies not only on the <strong>high level of developing skills<\/strong> required to build such <strong>peculiar ransomware payloads and dedicated leak sites<\/strong> but also more <strong>resilient and secure architecture<\/strong>; the number of high-profile victims is already growing <strong>at a fast pace <\/strong>and could keep switching between<strong> big and mid game hunting <\/strong>in the coming months\/years. Moreover, though not yet proven, <strong>ALPHV<\/strong> intends to embrace <strong>a triple extortion scheme<\/strong> by launching <strong>DDoS<\/strong> towards victims\u2019 assets if the ransom is not paid.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>As far as the threat <strong>genealogy<\/strong> is concerned, <strong>Darkweb forum analysis<\/strong> allows us to conjecture that at least one actor (affiliate and\/or operator and\/or web developer) with recent or past ties to <strong>Darkside\/BlackMatter\/REvil<\/strong> decided to jump into a new <strong>RaaS<\/strong> program referred to as <strong>ALPHV<\/strong>. In addition, we found that another actor could have been somewhat involved in the <strong>LockBit<\/strong> and\/or the <strong>ALPHV RaaS program. <\/strong>After pivoting from its avatar, we found with medium high confidence that the ransomware brand was inspired by a cult Russian movie where the <strong>Black Cat<\/strong> gang leaves a cat drawing or an actual cat at the scene of the crime.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>Last but not least, we found a running tool being leveraged by affiliates of <strong>ALPHV<\/strong> to download and run payloads upon an attack, from a remote server, which possesses strong code overlap with the <strong>LockBit\u2019s<\/strong> running tool.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>At the end of the document, we provide <strong>actionable intelligence to strengthen relevant layers of defences<\/strong> seeking to reduce or pre-empt the impact of this emerging threat.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"h-table-of-contents\">Table of contents<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:list -->\n<ul id=\"description-chronology\"><li><a href=\"\/#intrusion-set\">Intrusion Set<\/a><ul><li><a href=\"\/#description-chronology\">Description\/Chronology <\/a><\/li><li><a href=\"\/#aliases\">Aliases<\/a><\/li><li><a href=\"\/#primary-motivation\">Primary motivation<\/a><\/li><li><a href=\"\/#goals\">Goals<\/a><\/li><li><a href=\"\/#targets-identity-location-or-vulnerability\">Targets (identify, location or vulnerability)<\/a><\/li><li><a href=\"\/#attribution-genealogy\">Attribution\/Genealogy<\/a><\/li><\/ul><\/li><li><a href=\"\/#analysis\">Analysis<\/a><ul><li><a href=\"\/#frontend-and-backend-analysis-of-dls\">Frontend and backend analysis of DLS<\/a><\/li><li><a href=\"\/#analysis-of-the-ransomware-as-a-service-program\">Analysis of the ransomware-as-a-service program<\/a><\/li><li><a href=\"\/#commonalities-between-lockbit2-0-and-alphv\">Commonalities between LockBit2.0 and ALPHV<\/a><\/li><li><a href=\"\/#ttps\">TTPs<\/a><\/li><li><a href=\"\/#malware-s-tool-s\">Malware(s)\/Tool(s)<\/a><\/li><li><a href=\"\/#vulnerabilities\">Vulnerabilities<\/a><\/li><li><a href=\"\/#course-of-action\">Course of action<\/a><\/li><\/ul><\/li><li><a href=\"\/#references\">References<\/a><\/li><li><a href=\"\/#appendix\">Appendix<\/a><ul><li><a href=\"\/#malware-information\">Malware information<\/a><\/li><li><a href=\"\/#threat-actor\">Threat actor<\/a><\/li><li><a href=\"\/#FAQ\">FAQ dedicated to its affiliates (published on the public DLS of ALPHV)<\/a><\/li><li><a href=\"\/#domain\">Domain analysis of the ALPHV&rsquo;s infrastructure<\/a><\/li><\/ul><\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:paragraph -->\n<p><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:heading {\"textColor\":\"vivid-red\"} -->\n<h2 class=\"has-vivid-red-color has-text-color\" id=\"intrusion-set\">Intrusion Set<\/h2>\n<!-- \/divi:heading -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"description-chronology\">Description\/Chronology<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:paragraph -->\n<p>To the best of our knowledge, the first attack that deployed <strong>ALPHV<\/strong> <strong>RaaS<\/strong> was reported by <a href=\"file:\/\/sisec-filer-01\/Share$\/Activit\u00e9s\/CTI\/Interne\/04.Zone%20de%20travail\/01.Relectures%20alertes\/Relectures%20-%20BI\/Menaces\/(12)%20-%20D\u00e9cembre%20-%202021\/ALPHV%20(aka%20BlackCat)\/\u2022https:\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/noberus-blackcat-alphv-rust-ransomware\">Symantec<\/a>. Three variants in total hit hundreds of machines on <strong>November 18, 2021<\/strong> while the first <strong>suspicious<\/strong> network activity had been <strong>observed on November 3<\/strong>.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"aliases\">Aliases<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:paragraph -->\n<p>The group is referred to as <strong>ALPHV<\/strong> and is also known as <strong>BlackCat<\/strong> (because of a black cat icon set by the group in the first version of their dedicated leak site) or <a href=\"file:\/\/sisec-filer-01\/Share$\/Activit\u00e9s\/CTI\/Interne\/04.Zone%20de%20travail\/01.Relectures%20alertes\/Relectures%20-%20BI\/Menaces\/(12)%20-%20D\u00e9cembre%20-%202021\/ALPHV%20(aka%20BlackCat)\/mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion\"><strong>Noberus<\/strong><\/a><strong> <\/strong>(by Symantec).<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"primary-motivation\">Primary motivation<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:paragraph -->\n<p><strong>Financial gains<\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"goals\">Goals<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:paragraph -->\n<p><strong>ALPHV<\/strong> aims at stealing confidential information, encrypting files and then demanding a ransom that needs to be paid, otherwise threat actors publish the collected information or sell it to interested third parties.&nbsp;<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"targets-identity-location-or-vulnerability\">Targets (identity, location or vulnerability)<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:paragraph -->\n<p>The array below presents known victims hit by <strong>ALPHV<\/strong> ransomware; please note that it is usually an underestimated list. Upon our analysis we already found some probable victims that remained under the scope of the cybersecurity community so far. From the limited amount of data available one can highlight that, as it is commonly observed, the most targeted countries are primarily American and then European. Another common trait also emerging here is the almost indiscriminate type of sector being targeted.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:table {\"className\":\"is-style-stripes\"} -->\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>Victim<\/strong><\/td><td><strong>Country<\/strong><\/td><td><strong>Sector<\/strong><\/td><td><strong>Date<\/strong><\/td><\/tr><tr><td>Content available in a Private release<\/td><td>Romania<\/td><td>Heavy industries<\/td><td>23 January 2022<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>UK<\/td><td>Financial organizations<\/td><td>18 January 2022<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>Italy<\/td><td>Retail<\/td><td>17 January 2022<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>United States of America<\/td><td>Construction<\/td><td>17 January 2022<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>United States of America<\/td><td>Financial organizations<\/td><td>16 January 2022<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>China<\/td><td>Heavy industries<\/td><td>16 January 2022<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>United States of America<\/td><td>Heavy industries<\/td><td>16 January 2022<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>Bahamas<\/td><td>Local administrations<\/td><td>07 January 2022<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>United States of America<\/td><td>Food and drinks businesses<\/td><td>01 January 2022<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>Netherlands<\/td><td>Insurance services<\/td><td>01 January 2022<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>Germany<\/td><td>Technologies<\/td><td>01 January 2022<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>United States of America<\/td><td>Information technologies consulting<\/td><td>31 December 2021<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>United States of America<\/td><td>Financial organizations<\/td><td>29 December 2021<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>United States of America<\/td><td>Information technologies consulting<\/td><td>29 December 2021<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>Australia<\/td><td>Manufacturing<\/td><td>29 December 2021<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>United States of America<\/td><td>Technologies<\/td><td>29 December 2021<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>Canada<\/td><td>Energy<\/td><td>29 December 2021<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>France<\/td><td>Transportation Services<\/td><td>27 December 2021<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>Puerto Rico<\/td><td>Food and drinks businesses<\/td><td>24 December 2021<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>Spain<\/td><td>Pharmacy and drugs manufacturing<\/td><td>25 December 2021<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>United States of America<\/td><td>Technologies<\/td><td>22 December 2021<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>France<\/td><td>Information technologies consulting<\/td><td>19 December 2021<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>Germany<\/td><td>Transportation Services<\/td><td>19 December 2021<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>Unknown<\/td><td>Unknown<\/td><td>17 December 2021<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>Philippines<\/td><td>Retail<\/td><td>14 December 2021<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>United States of America<\/td><td>Mining<\/td><td>10 December 2021<\/td><\/tr><tr><td>Content available in a Private release<\/td><td>United States of America<\/td><td>Engineering consulting<\/td><td>08 December 2021<\/td><\/tr><\/tbody><\/table><\/figure>\n<!-- \/divi:table -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"attribution-genealogy\">Attribution\/Genealogy<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:paragraph -->\n<p>Attribution of the intrusion set is at first glance contradictory, as on one hand, according to <a href=\"https:\/\/support.recordedfuture.com\/hc\/en-us\/articles\/4412359150739?__hstc=156209188.e47361c5063e48f6477f4dff7a1dbd61.1641680597400.1641680597400.1641680597400.1&amp;__hssc=156209188.1.1641680597400&amp;__hsfp=572240617\">Recorded Future experts<\/a> the operator of <strong>ALPHV<\/strong> had been previously a member of the well-known ransomware group <strong>REvil; <\/strong>while on the other hand<strong>,<\/strong> according to the <a href=\"hxxp:\/\/xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid[.]onion\/threads\/59932\/#post-397610\">official LockBit Support account on<\/a> the Russian Cybercrime forum XSS, the <strong>ALPHV<\/strong> is a rebranding of <strong>Darkside \/ BlackMatter<\/strong> ransomware brands (see Figure 1).<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222527,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/1.png\" alt=\"\" class=\"wp-image-222527\"\/><figcaption>Figure 1 : <em>Screenshot of a post by the official LockBit Support, 2nd most impactful ransomware gang claiming that ALPHV operator was a former member of Darkside \/ BlackMatter, ransomware brands.<\/em><\/figcaption><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:paragraph -->\n<p><strong>ALPHV<\/strong> operator was also seen replying to a troll feed on <strong>XSS<\/strong> forum targeting <strong>LockBit<\/strong> (see Figure 2), which could indicate that they are competitors. <strong>ALPHV<\/strong> owns a business-oriented premium account that costs about one hundred dollars per year, which shows the intention of the latter to weight into the <strong>RaaS<\/strong> landscape.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222528,\"width\":628,\"height\":279,\"sizeSlug\":\"large\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img fetchpriority=\"high\" decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/Capture-decran-2022-01-26-144152-1024x455.png\" alt=\"\" class=\"wp-image-222528\" width=\"628\" height=\"279\"\/><figcaption>Figure 2 : <em>On the left, a screenshot taken on December 28, 2021 from a random channel of the Russian cybercrime Forum XSS. ALPHV operator replied to the trolling post of another user named Kelegen (on the right) claiming that the LockBit Dedicated Leak Site was pwned. The premium account &lsquo;ALPHV&rsquo; was created on December 9, 2021 and has posted so far only this short message.<\/em><\/figcaption><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:paragraph -->\n<p>An analysis from <strong>Korean<\/strong> <strong>Threat Intelligence<\/strong> <a href=\"https:\/\/medium.com\/s2wblog\/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809\"><strong>S2W Lab company<\/strong><\/a> pinpointed that like other <strong>RaaS<\/strong> ransomgangs, a config file is leveraged as an input to endow the ransomware with custom features tailored for the victims (see Analysis for details). Of note is the strong overlap with the config file previously used by <strong>BlackMatter<\/strong>. From the timeline provided by <strong>S2W <\/strong>though, they conclude that it would have been too soon for <strong>ALPHV<\/strong> to rebrand from <strong>BlackMatter<\/strong> while rewriting from scratch a DLS <a>(Dedicated Leak Site)<\/a>and a <strong>RUST<\/strong>-based ransomware. This could substantiate at the first glance an attribution to the <strong>REvil<\/strong> ransom cartel whom&nbsp;first shutdown occurred in July 2021 and then was hacked and forced offline after a comeback since the end of October this year but there is too little material at the time of writing to conclude.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>As far as <strong>BlackMatter<\/strong> is concerned however, technical evidences such as the encryption routine study and <a href=\"https:\/\/www.mcafee.com\/blogs\/enterprise\/mcafee-enterprise-atr\/blackmatter-ransomware-analysis-the-dark-side-returns\/\">code similarities<\/a> show that <strong>BlackMatter<\/strong> signed the come-back of <strong>Darkside<\/strong> core teams. This revival took place at the moment of <strong>Darkside<\/strong>\u2019s disappearance following its infamous <strong>Colonial Pipeline<\/strong> major attack. We shall then recall the genesis of <strong>Darkside, <\/strong>which was born in August 2020 when pentesters first<a> <\/a>rent <strong>REvil<\/strong> <strong>RaaS<\/strong> (operated by <strong>Pinchy Spider<\/strong>) until <strong>Carbon Spider<\/strong> operated its own variant based on the code of <strong>REvil<\/strong> that became <strong>Darkside<\/strong>. To conclude on that first part, we thus underline past ties between <strong>Revil<\/strong> and <strong>Darkside<\/strong> as well as more recently between <strong>Darkside<\/strong> and <strong>BlackMatter<\/strong>.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>As far as the ransomware code is concerned we shall underline that <strong>BlackMatter<\/strong> is a <a href=\"https:\/\/chuongdong.com\/reverse%20engineering\/2021\/09\/05\/BlackMatterRansomware\/#ransom-note\">mashup between LockBit, Darkside, and REvil<\/a>.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>A possible scenario would be that at least one actor (affiliate and\/or operator and\/or web developer) with recent or past ties to <strong>Darkside\/BlackMatter\/REvil<\/strong> decided to jump into a new <strong>RaaS<\/strong> program referred to as <strong>ALPHV<\/strong>, but this assumption remains speculative at this stage.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>From another interesting conversation on the <strong>RAMP<\/strong> forum about the withdrawal of <strong>BlackMatter<\/strong> and assumptions on their next move, an avatar named <a href=\"hxxp:\/\/rampjcdlqvgkoz5oywutpo6ggl7g6tvddysustfl6qzhr5osr24xxqqd[.]onion\/members\/blackcat46.164\/\"><em>BlackCat46<\/em><\/a><em> <\/em>also arouse our interest (see Figure 3)<em>. <\/em>Indeed, it turns out that the latter participated in the past not only in a similar conversation on the Russian cybercrime XSS forum with the same account name, but also in other topics involving the <strong>LockBitSupp<\/strong> account. <\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222549,\"width\":544,\"height\":399,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/3.png\" alt=\"\" class=\"wp-image-222549\" width=\"544\" height=\"399\"\/><figcaption><em>Figure 3 Screenshot taken from Russian cybercrime XSS forum, displaying that LockBit claims to know the operator of ALPHV, a former member of the infamous REvil group, and that BlackCat46 liked this assumption. Its avatar on XSS and Exploit, both major Russian-speaking cybercrime forums, represent a picture of the famous Russian revolutionary LENIN taken in Gorki where he spent the last year of his life.<\/em><\/figcaption><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:paragraph -->\n<p>This could show that the latter has a particular interest in <strong>BlackMatter<\/strong> and a kind of \u2018friendship\u2019 with the <strong>LockBit<\/strong> operator; at the very least, a cross-analysis of its avatar content shows a particular tropism for <strong>RaaS<\/strong> programs.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>In addition to that, the most recent avatar on <strong>RAMP<\/strong> of BlackCat46 is an angry cat, which obviously reminds the free black cat icon that was chosen by <strong>ALPHV<\/strong> for private onion negotiation sites (also angry). By reverse image search analysis, we found its <strong>RAMP<\/strong> avatar <a href=\"https:\/\/zlodei.fandom.com\/ru\/wiki\/%D0%A7%D1%91%D1%80%D0%BD%D0%B0%D1%8F_%D0%BA%D0%BE%D1%88%D0%BA%D0%B0_(%D0%B1%D0%B0%D0%BD%D0%B4%D0%B0)\">on an entertainment website<\/a> illustrating a 1979 cult film upon the Former Soviet Union called \u2018The Meeting Place Cannot Be Changed.\u2019 &nbsp;The plot synopsis is not without remembering what could experience members of <strong>RaaS<\/strong> programs in which a gang of armed robbers calling itself \u00ab\u00a0The <strong>Black Cat<\/strong>\u00a0\u00bb keeps evading capture. Even more striking is the bleeding knife website <strong>icon<\/strong> used for the crime investigation category that turns out to be the very same used on the public DLS of <strong>ALPHV<\/strong> (see Figure 4). We retrieved the link between those two observed website icons by <strong>ALPHV<\/strong> on their Private and Public DLS.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222529,\"sizeSlug\":\"large\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/Capture-decran-2022-01-26-142812-1024x418.png\" alt=\"\" class=\"wp-image-222529\"\/><figcaption><em>Figure 4 :<\/em> <em>On the left, the profile of BlackCat46 on RAMP forum. On the right, an illustration obtained by reverse image analysis of the BlackCat46 avatar on RAMP forum linked to a cult Russian movie where the Black Cat gang leaves a cat drawing or an actual cat at the scene of the crime. The knife icon of the website used for the crime investigation category matches the one used by ALPHV on their Public DLS.<\/em><\/figcaption><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:paragraph -->\n<p>Based on topics and conversations in which <em>BlackCat46<\/em> is involved, we think that his profile could fit the one of an affiliate being involved in <strong>RaaS<\/strong> program with pentesting skills. More interesting is that the latter requested <a href=\"hxxps:\/\/forum.exploit[.i]n\/topic\/198881\/?tab=comments#comment-1260078\">help to protect against DDOS attacks<\/a> on the aforementioned Russian cybercrime forum known as <strong>\u2018Exploit\u2019<\/strong> (with the same Lenin avatar picture and account name <em>BlackCat46<\/em> than was observed on <strong>XSS<\/strong>). This recalls the fact that <strong>ALPHV<\/strong> named and shamed <strong>LockBit<\/strong>, which recently suffered <strong>DDOS<\/strong> attacks right after the latter defrayed the chronicle by leaking very sensitive data of <strong>Accenture<\/strong> on their centralized DLS reachable by a unique onion domain. It is assumed&nbsp;that the hack back was triggered by victims\u2019 third parties assisting with incident response and\/or US agencies according to <strong>LockBit<\/strong> operator. As a result, one could conjecture that <em>BlackCat46<\/em> could have been somewhat involved into the <strong>LockBit<\/strong> <strong>RaaS<\/strong> program and\/or the <strong>ALPHV<\/strong> one to avoid being hacked back by <strong>DDoS<\/strong> attacks.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:heading {\"textColor\":\"vivid-red\"} -->\n<h2 class=\"has-vivid-red-color has-text-color\" id=\"analysis\">Analysis<\/h2>\n<!-- \/divi:heading -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"frontend-and-backend-analysis-of-dls\">Frontend and backend analysis of DLS<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:paragraph -->\n<p><a href=\"https:\/\/medium.com\/s2wblog\/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809\"><strong>S2W Lab<\/strong><\/a> also showed that the <strong>frontend<\/strong> developing was carried out in three stages. First, a Private Leak Site was used (now down) that became a unique Public Dedicated Leak Site (DLS) while negotiation site are unique per victim. For this, a UUID is generated via the command:<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>cmd \/c wmic csproduct get UUID<\/em><em><\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>This command is used to generate an access key being required to reach the correct URL following this scheme:<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph {\"align\":\"center\"} -->\n<p class=\"has-text-align-center\"><em>hxxp:\/\/Av3TorUniqueHiddenWebAddress[.]onion\/?access-key=${ACCESS_KEY}\u00a0\u00bb<\/em><em><\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><strong>As far as the Public Leak Site of<\/strong> <strong>ALPHV<\/strong> is concerned, its technology relies for the frontend on <a href=\"https:\/\/github.com\/angular\/angular\"><strong>Angular<\/strong><\/a>, which enhances users experience with single page applications. This extensively used open source framework is coupled to <strong>zone.js <\/strong>to reduce UI refreshing when change detection occurs.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>From our experience, this web technology is not often encountered and translates good skills in terms of web developing. The web developer could be a dedicated person and not necessarily the operator maintaining in operational conditions the infrastructure. As a result, an automated survey of their Public Dedicated Leak Site (<strong>DLS<\/strong>) by CTI teams is more difficult. Fortunately we found a workaround to provide information on victims that can be ingested in an automated way:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>Content available in the Private release<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><strong>Concerning the backend<\/strong>, this group claims to have learned from other ransom-cartels\u2019 mistakes such as <strong>Conti<\/strong>, which recently saw their servers uncovered by the Prodaft Threat Intel team. Also peculiar is the generation of <strong>a unique onion domain per each new company<\/strong> hit by <strong>ALPHV<\/strong> ransomware. This change of modus operandi was most likely driven by the intention to reduce the impact of the aforementioned <strong>DDOS<\/strong> attack.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><strong>ALPHV<\/strong> offer an intricate affiliate program (see appendix) with self-deletion scripts, a built-in Bitcoin mixer integrated, which does not communicate with the ALPHV infrastructure backend. The latter is fragmented into nodes that are interconnected through a whole network of pads within the onion network being behind a Network Address Translation (NAT) so genuine IP addresses are not directly accessible from the internet and are protected by a firewall.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"analysis-of-the-ransomware-as-a-service-program\">Analysis of the Ransomware-as-a-service program<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:paragraph -->\n<p>Since early December 2021, the operator of <strong>ALPHV<\/strong> has been promoting its <strong>RaaS<\/strong> program on the underground Russian forums <strong>RAMP<\/strong> (see an English translation in appendix) inviting other criminals to join ransomware attacks against large companies. The operator mentioned later that only Russian speaking affiliate could join the program either by payment or by skill. It is worth mentioning though that overall, more and more Chinese translations are found on underground forums in a sort of an objective alliance between countries of <a href=\"https:\/\/worldpopulationreview.com\/country-rankings\/cis-countries\">Commonwealth of Independent States<\/a> and China black hats against western countries. The operator claims that the malware can encrypt data on systems running Windows, Linux and VMware ESXi, and partners will receive 80% to 90% of the final ransom, depending on the total amount received from the victims.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222530,\"width\":770,\"height\":336,\"sizeSlug\":\"large\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/4-1024x447.png\" alt=\"\" class=\"wp-image-222530\" width=\"770\" height=\"336\"\/><figcaption><em>Figure 5 : ALPHV operator named RANSOM joined the RAMP forum the 8th December, 2021 and depicted the day after its RaaS affiliate program. RAMP is a Russian-speaking underground forum that was launched in July 2021. The operator of RAMP was linked to the operator of Babuk and Payload.bin. N.B: we translated this page into English.<\/em><\/figcaption><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:paragraph -->\n<p><strong>ALPHV<\/strong> operators were also seen on another underground Russian forum known as <strong>Exploit<\/strong> (see Figure 6) where they were actively recruiting pentesters specialized in Windows\/Linux and ESXi. In the same post, they shared two TOX addresses and a jabber address to discuss in a secure environment.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222531,\"width\":743,\"height\":341,\"sizeSlug\":\"large\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/100-1024x470.png\" alt=\"\" class=\"wp-image-222531\" width=\"743\" height=\"341\"\/><figcaption><em>Figure 6 : Screenshot taken from the Exploit underground forum showing the active recruiting process engaged by ALPHV to collaborate with pentesters specialized in Windows\/Linux and ESXi. They shared two TOX addresses and a Jabber to discuss in a secure environment.<\/em><\/figcaption><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:paragraph -->\n<p><strong>Focusing now on the ransomware anatomy<\/strong>, the latter encrypts selected files throughout a whitelist and adds custom extensions to infected files (7 length extension such as .sykffle was so far witnessed in the wild for this program and most of the time chosen randomly). A peculiar trait of this ransomware upon deployment is its ability throughout command-line to apply numerous options (reachable via \u2013help). Available features are presented for Windows and Linux systems respectively in Figure 7 and Figure 8.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222532,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/6.png\" alt=\"\" class=\"wp-image-222532\"\/><figcaption><em>Figure 7 : Features provided by a representative sample of an ALPHV ransomware sample targeting Windows systems.<\/em><\/figcaption><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222533,\"width\":657,\"height\":304,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/5.png\" alt=\"\" class=\"wp-image-222533\" width=\"657\" height=\"304\"\/><figcaption><em>Figure 8 : Features provided by a representative sample of an ALPHV ransomware sample targeting Linux systems<\/em><\/figcaption><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:paragraph -->\n<p><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>Every sample can be customized via an embedded JSON configuration file as shown by <a href=\"https:\/\/github.com\/Bleeping\/BlackCat-ALPHV-Ransomware\">Bleeping computer<\/a> that enables common features such as creating a unique access token is a previously seen anti-analysis tactic used by similar threats such as for the victim to keep negotiations for private, changing extensions, ransom notes, data encryption, exclusions of folders\/files\/extensions, and the services and processes to be automatically killed to crank up the impact. Supplying an access token as a parameter is previously seen anti-analysis tactic such as threats like <a href=\"https:\/\/www.sentinelone.com\/labs\/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone\/\">Egregor<\/a>.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222534,\"sizeSlug\":\"large\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/7-1024x371.png\" alt=\"\" class=\"wp-image-222534\"\/><figcaption><em>Figure 9 : Screenshot of a representative sample of the config file extracted from a Windows ALPHV ransomware strain. Admin credentials and the victim\u2019s name could be stored and could leak upon negotiations to the public even before being exposed on ALPHV\u2019s DLS if a payload is pushed towards a third-party platform. Several features that can be enabled or disabled make this ransomware very versatile and impactful, in particular the capability of ESXi VM and Snapshot kill.<\/em><\/figcaption><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:paragraph -->\n<p>We could extract and analyse several outputs of both Linux and Windows samples and confirm the conclusions of <strong>S2W<\/strong> (see Figure 9). Of important note is that every successful attack stores Admin credentials and the victim\u2019s name into specific fields of the config file that could become public once payloads are submitted to third-party platforms such as Virustotal (please see an obfuscated example displayed via an <a href=\"https:\/\/github.com\/f0wl\/blackCatConf\">open-source script<\/a>).<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>Every compiled sample analysed so far would have been compiled via the emerging <strong>Rust<\/strong> language, instead of a more commonly encountered C\/C++ language. Rust is a multi-paradigm programming language, developed by Mozilla in 2010. As a matter of fact, it is the <a href=\"https:\/\/therecord.media\/alphv-blackcat-is-the-first-professional-ransomware-gang-to-use-rust\/\">third<\/a> impactful malware written in <strong>Rust<\/strong> language, and <strong>the first of a kind as a Ransomware-as-a-service<\/strong>. Such a peculiar choice was probably made not only because <strong>Rust<\/strong> is a cross-platform language (Windows, Linux, OSX) but also to better evade existing detection capabilities and reverse engineering methods. Moreover, when compared with C\/C++ programming language, as <strong>Rust<\/strong> applies stricter rules, the latter could be considered more secure by default in the eyes of a programmer. Alternatively the <strong>GoLang<\/strong> programming language keeps growing fast and is also an open-source project with cross-platform capabilities. The latter was already used for instance by <a href=\"https:\/\/www.sentinelone.com\/labs\/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare\/\">HIVE<\/a> or <a href=\"https:\/\/twitter.com\/vk_intel\/status\/1281677718376120328\">NEPHILIM<\/a> RaaS programs to take advantage of the language\u2019s concurrency features to encrypt files faster. However, its ties with Google might restrain some operators of ransomwares, as Google\u2019s projects in overall do not fit the political vision they want to display to the public.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>There are four types of encryption options as described by <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/alphv-blackcat-this-years-most-sophisticated-ransomware\/\">BleepingComputer<\/a> (<em>i.e.<\/em>, Full, Fast, DotPattern&nbsp;and Auto). All samples of <strong>ALPHV<\/strong> use a combination of <a href=\"https:\/\/twitter.com\/demonslay335\/status\/1468735840033677318?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1468735840033677318%7Ctwgr%5E%7Ctwcon%5Es1_&amp;ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Falphv-blackcat-this-years-most-sophisticated-ransomware%2F\">AES128-CTR and RSA-2048 encryption<\/a> to secure their malware against the researchers getting encrypted files back. Amongst the several modes that AES operates with, mostly used is CBC (Cipher&nbsp;Block&nbsp;Chaining) while CTR (CounTeR) was witnessed in the past by a few threats such as <a href=\"https:\/\/www.nioguard.com\/2019\/03\/analysis-of-lockergoga-ransomware.html\"><strong>LockerGoga<\/strong><\/a>, <a href=\"https:\/\/vblocalhost.com\/uploads\/VB2021-Hacquebord-etal.pdf\"><strong>Nefilim<\/strong><\/a> and <a href=\"https:\/\/blogs.blackberry.com\/en\/2019\/07\/threat-spotlight-sodinokibi-ransomware\"><strong>REvil<\/strong><\/a>. In the case where (Advanced Encryption Standard) AES is not supported by the OS and if auto mode option is enabled, ChaCha20 encryption is applied instead. So far, no weaknesses were found and over all, such new <strong>RaaS<\/strong> program is considered by the cybersecurity to be very sophisticated. <strong>ALPHV<\/strong> also mentions that in contrast to what happened to <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum\/\">Revil after the massive Kaseya attack<\/a>, a leak of a universal decryptor is not possible.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>Diving into reverse engineering code analysis of <strong>ALPHV<\/strong> ransomware targeting Windows systems, we discuss key functions leveraged by the ransomware and any commonalities found with past known techniques:<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:list -->\n<ul><li><em>EnumServicesStatusExW<\/em>: is usually used by ransomwares for enumerating all the active services with the aim to delete services matching a list (present in the config file of <strong>ALPHV<\/strong>). The call of such function was for instance already seen in the wild in the <a href=\"https:\/\/chuongdong.com\/reverse%20engineering\/2021\/05\/06\/DarksideRansomware\/\"><strong>Darkside<\/strong><\/a>, <a href=\"https:\/\/chuongdong.com\/reverse%20engineering\/2021\/09\/05\/BlackMatterRansomware\/\"><strong>BlackMatter<\/strong><\/a>, <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/revil-ransomware-uses-dll-sideloading\/\"><strong>Revil<\/strong><\/a><strong> <\/strong>and <a href=\"https:\/\/cert-agid.gov.it\/news\/netwalker-il-ransomware-che-ha-beffato-lintera-community\/\"><strong>Netwalker<\/strong><\/a><\/li><li><em>NetServerEnum: <\/em>is used to list all servers of the specified type that are visible in a domain. The latterwas was seen previously also being leveraged by <a href=\"https:\/\/chuongdong.com\/reverse%20engineering\/2020\/11\/17\/RegretLocker\/\"><strong>RegretLocker<\/strong><\/a>, <a href=\"https:\/\/blog.talosintelligence.com\/2017\/06\/worldwide-ransomware-variant.html\"><strong>Wannacry<\/strong><\/a>, <a href=\"https:\/\/go.sentinelone.com\/rs\/327-MNM-087\/images\/Dissecting%20NotPetya%20-%20WP.pdf?aliId=21202168\"><strong>NotPetya<\/strong><\/a> and <a href=\"https:\/\/www.flashpoint-intel.com\/blog\/new-version-trickbot-adds-worm-propagation-module\/\"><strong>Trickbot<\/strong><\/a> (operated by <a href=\"https:\/\/adversary.crowdstrike.com\/en-US\/adversary\/wizard-spider\/\">Wizard Spider<\/a>) as a worm-like malware propagation module to spread over Server Message Block (<strong>SMB<\/strong>)<\/li><li><em>NetShareEnum<\/em>: playing the role of discovering network shares to enumerate DNS hostnames on the network, was encountered within numerous ransomwares such as <a href=\"https:\/\/blog.qualys.com\/vulnerabilities-threat-research\/2021\/12\/09\/ransomware-ranzy-locker\"><strong>Ranzy locker<\/strong><\/a>, <a href=\"https:\/\/cert-agid.gov.it\/news\/netwalker-il-ransomware-che-ha-beffato-lintera-community\/\"><strong>Netwalker<\/strong><\/a>, <a href=\"https:\/\/www.mcafee.com\/enterprise\/en-us\/assets\/reports\/rp-cuba-ransomware.pdf\"><strong>Cuba<\/strong><\/a>, <a href=\"https:\/\/news.sophos.com\/en-us\/2020\/04\/24\/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze\/\"><strong>LockBit<\/strong><\/a>, <a href=\"https:\/\/chuongdong.com\/reverse%20engineering\/2021\/09\/05\/BlackMatterRansomware\/\"><strong>Blackmatter<\/strong><\/a> and <a href=\"https:\/\/blogs.vmware.com\/security\/2020\/07\/tau-threat-discovery-conti-ransomware.html\"><strong>Conti<\/strong><\/a><strong> <\/strong>(operated by <a href=\"https:\/\/adversary.crowdstrike.com\/en-US\/adversary\/wizard-spider\/\">Wizard Spider<\/a>)<\/li><li><em>EnumdependentServicesW<\/em> was found to be shared with <a href=\"https:\/\/www.joesandbox.com\/analysis\/280693\/0\/lighthtml\"><strong>Avaddon<\/strong><\/a>, <a href=\"https:\/\/www.joesecurity.org\/reports\/report-e11502659f6b5c5bd9f78f534bc38fea.html\"><strong>LockerGoga<\/strong><\/a> to retrieve the name and status of each service that depends on specified services<\/li><li><em>ARP scanner via the command <strong>\u201carp -a\u201d <\/strong><\/em><a href=\"https:\/\/attack.mitre.org\/techniques\/T1016\/\"><em>[T1016]<\/em><\/a>: scans the targeted device\u2019s Address Resolution Protocol (ARP) table which stores information about IP addresses and the corresponding MAC address. The discovery of new networks allows then to fully scan for SMB volumes that can be mounted and eventually encrypted to crank up the impact. Such ARP scanner was previously seen embedded within strains of <a href=\"https:\/\/www.sentinelone.com\/blog\/meet-darkside-and-their-ransomware-sentinelone-customers-protected\/\"><strong>Darkside<\/strong><\/a><strong>, <\/strong><a href=\"https:\/\/umbrella.cisco.com\/blog\/cybersecurity-threat-spotlight-blackmatter-lockbit-thor\"><strong>LockBit<\/strong><\/a><strong>, <\/strong><a href=\"https:\/\/www.picussecurity.com\/resource\/blog\/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps\"><strong>Ranzy locker<\/strong><\/a><strong>, <\/strong><a href=\"https:\/\/twitter.com\/VK_Intel\/status\/1301233594371842048\"><strong>Avaddon<\/strong><\/a><strong>, <\/strong><a href=\"https:\/\/www.crowdstrike.com\/blog\/doppelpaymer-ransomware-and-dridex-2\/\"><strong>DopplePaymer<\/strong><\/a>. We can also underline variants of Ryuk and Conti that exhibited more sophisticated behaviours by taking advantage of arp. The former reads ARP tables and wake systems up by sending Wake-on-LAN commands (then use RPC to copy itself to identified network shares) while the latter retrieves the ARP cache to focus only on network shares to which the victims normally connects to. To be noted beyond Ryuk\u2019 wake-on-LAN peculiar feature is that other RaaS programs borrowed that capability such as <a href=\"https:\/\/www.trendmicro.com\/fr_fr\/research\/21\/h\/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html\">LockBit<\/a> or <a href=\"https:\/\/www.recordedfuture.com\/thanos-ransomware-builder\/\">Thanos<\/a>.<\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222535,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/8.png\" alt=\"\" class=\"wp-image-222535\"\/><figcaption><em>Figure 10 Command line tool called arp (available on Linux, MacOS and Windows) was found in the source code of ALPHV ransomware to be used as an ARP scanner feature. The scanner allows to look for details about the network configuration [T1016].<\/em><\/figcaption><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:paragraph -->\n<p>We are discussing the approach to gather <strong>indicators of compromise (IOCs)<\/strong> and define the infrastructure and TTPs leveraged by affiliates of the ALPHV RaaS program and its operator.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>Besides, from TLP WHITE <strong>indicators of compromise<\/strong> shared by the platform <a href=\"https:\/\/bazaar.abuse.ch\/browse.php?search=tag%3A+alphv\">Malware Bazaar<\/a> (5 samples were available) we could pivot on VT intel to harvest other reported and related <strong>IOCs<\/strong> (<strong>see the Recommendation section for technical details<\/strong>). By pivoting on one of the ELF Linux variant samples, a lower sized file named <em>setup.exe <\/em>(see details in VT <a href=\"https:\/\/www.virustotal.com\/gui\/file\/f0a694b6ed97dcf4932ea91b955bd93457d1979ea88a670895094f8771f7e199\">here<\/a>) that contrasted with the other ransomware payloads has drawn our attention. As no GUID identifier has been found in this file we sought to pivot around artefacts (unique strings into content file). As such, we could find two other similar files reported into VirusTotal (see Figure 11).&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222536,\"sizeSlug\":\"large\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/9-1024x279.png\" alt=\"\" class=\"wp-image-222536\"\/><figcaption><em>Figure 11 Screenshot of VirusTotal Intelligence platform after pivoting on a unique string found into Portable Executable content. The size of the files are very close while the second one turns out to be linked to another infamous Ransomware group dubbed LockBit.<\/em><\/figcaption><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:paragraph -->\n<p>Those files are .Net modules and not with a PE more standard format file. We analysed more thoroughly the file by reverse engineering the latter via the open-source tool <a href=\"https:\/\/github.com\/dnSpy\/dnSpy\">dnSpy<\/a>. We first want to point out that no obfuscation is at play, thus all code can be directly rationalized. Four main functions stood out as shown in Figure 12 after reversing the runner used by ALPHV\u2019 affiliates. It is interesting to note that download and upload functions point to the IP address:<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph {\"align\":\"center\"} -->\n<p class=\"has-text-align-center\"><em>141.136.44[.]54<\/em><em><\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>The latter resolves the host from which was also present the runner <em>setup.exe<\/em>, meaning that ransomware payloads were hosted at the same place. We found out, about the same time, that @malwrhunterteam substantiated this result in one of their <a href=\"https:\/\/twitter.com\/malwrhunterteam\/status\/1476204657823395843\">tweet<\/a>. Once the runner is launched with an access-token set as an input, a messagebox like the one shown in Figure 9 pops up and asks the user whether or not \u201cREALLY RUN LOCKER????\u201d. If the user chooses \u201cYES\u201d, an ALPHV ransomware payload will be downloaded from the remote host- and executed locally.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222537,\"width\":759,\"height\":287,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/Capture-decran-2022-01-26-143102.png\" alt=\"\" class=\"wp-image-222537\" width=\"759\" height=\"287\"\/><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222538,\"width\":1024,\"height\":238,\"sizeSlug\":\"large\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/Capture-decran-2022-01-26-143132-1024x238.png\" alt=\"\" class=\"wp-image-222538\" width=\"1024\" height=\"238\"\/><figcaption><em>Figure 12 Screenshot of the runner setup.exe found to be tight to the ALPHV threat arsenal. Four main functions are at play (DownloadAndRun, FullInfo, Start, UploaddDedInfo and UploadFiles). Both the runner and the payloads are hosted at hxxp:\/\/141.136.44[.]54\/files\/.<\/em><\/figcaption><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"commonalities-between-lockbit2-0-and-alphv\">Commonalities between LockBit2.0 and ALPHV<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:paragraph -->\n<p>After investigations via VT Intelligence we found that the <a href=\"https:\/\/www.virustotal.com\/gui\/file\/4067a9a9a9cfc5a4f588883953f64ce6d8c418bfb02b32b2715c9a30bb86ea12\">second hash<\/a> shown in Figure 11 was detected by some antivirus as <strong>LockBit<\/strong> ransomware. We thus decided to pursue the research in that direction and pivot around that IOC. After having unravelled the infrastructure behind that IOC, one can observe in Figure 13 that <em>i<\/em> the occurrence <strong>LockBit<\/strong> is often used in namings <em>ii<\/em> the runner.exe (setup.exe) possesses numerous variants, <em>iii<\/em> URLs follow the same pattern observed for <strong>ALPHV<\/strong> (<em>i.e., <\/em><a href=\"http:\/\/ip_address\/files\/toolname.exe\"><em>http:\/\/ip_address\/files\/toolname.exe<\/em><\/a>) and <em>iv<\/em> the payload name 4mmc.exe was also used by <strong>ALPHV<\/strong> (see <a href=\"https:\/\/www.virustotal.com\/gui\/file\/3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1\">here<\/a> an example).<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>We checked that the payloads do indeed correspond to <strong>LockBit<\/strong> weaponized strains. Moreover we found that the hash value of the tool referred to as <a href=\"https:\/\/www.virustotal.com\/gui\/file\/c3ec60b8052e31db149c35080afea5b57b1e8a034386555d12035eb5edefdd68\"><em>screensaver.exe<\/em><\/a> was reported by <a href=\"https:\/\/thedfirreport.com\/2020\/06\/10\/lockbit-ransomware-why-you-no-spread\/\">The DFIR report back in June 2020<\/a> upon an attack by <strong>LockBit<\/strong> ransomware in which an executable that allows to lock out access to the desktop was dropped but was not used.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222539,\"width\":806,\"height\":491,\"sizeSlug\":\"large\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/10-1024x624.png\" alt=\"\" class=\"wp-image-222539\" width=\"806\" height=\"491\"\/><figcaption><em>Figure 13 : Screenshot taken from Virustotal Intelligence platform after having pivoted around the second hash highlighted in Figure 11 (see blue colour). One can observe several IOCs that belong to the infamous LockBit ransomware as well as some of its toolset, namely a screensaver locker, and a runner for downloading payloads for encryption that is similar to the one that ALPHV used<\/em><\/figcaption><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:paragraph -->\n<p>As we found no direct link of this infrastructure with recent attacks perpetrated by <strong>LockBit<\/strong> affiliates, the latter could also have been used as a test infrastructure by <strong>ALPHV<\/strong>. This is substantiated by the filename LockBit_gay.exe (see Figure 13) submitted the VT on 2021-11-08, which could indicate that an imposter essentially rebranded the tool used by <strong>LockBit\u2019<\/strong> affiliates and used it for <strong>ALPHV\u2019s<\/strong> campaigns. The word \u2018gay\u2019 is not without recalling the recent flooded <strong>Babuk\u2019s<\/strong> new ransomware forum (<strong>RAMP<\/strong>), crippled by a comment spammer with gay orgy porn GIFs. Not only the filenames (setup.exe), their size (in a range of 15-15.5 KB) but also the source code is obviously strongly overlapping as demonstrated in&nbsp;Figure 14.&nbsp;The main change arises from the adaptation of the code with the aim to include the&nbsp;anti-analysis tactic&nbsp;required for running a payload of ALPHV (<em>i.e.<\/em>, the aforementioned unique accesstoken).&nbsp;<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222575,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/MicrosoftTeams-image.png\" alt=\"\" class=\"wp-image-222575\"\/><figcaption><em>Figure 14 Source Code Differencing via Git Diff. Reverse engineering analysis shows that the source code of the <a href=\"https:\/\/www.virustotal.com\/gui\/file\/4067a9a9a9cfc5a4f588883953f64ce6d8c418bfb02b32b2715c9a30bb86ea12\/relations\">LockBit\u2019s<\/a> arsenal (in red) and the <a href=\"https:\/\/www.virustotal.com\/gui\/file\/f0a694b6ed97dcf4932ea91b955bd93457d1979ea88a670895094f8771f7e199\">ALPHV\u2019s<\/a> arsenal (in green) are strongly overlapping. The main change arises from the adaptation of the code to include the unique accesstoken per victim required for running a payload of ALPHV.<\/em><\/figcaption><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:paragraph -->\n<p>It is hard to conclude at this stage to conclude whether or not <strong>ALPHV<\/strong> is a \u2018new\u2019 group or not. However, it suggests that <strong>ALPHV<\/strong> at the very least borrowed a part of the <strong>LockBit<\/strong>\u2019s toolset, which requires non-public knowledge. Such knowledge of leveraging a runner for downloading and running ransomwares from remote servers could have been likely shared by affiliates that participle sometimes to several ransomware-as-a-service program. It could also be a subgroup of <strong>LockBit<\/strong> that split because of internal frictions or a rebrand triggered by the core-group of <strong>LockBit<\/strong> to take their ransomware to the next generation and escape sanctions.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"ttps\">TTPs<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:heading {\"level\":4} -->\n<h4 id=\"h-intrusion-set-threat-actor-operating-alphv-and-its-affiliates-modus-operandi\">&nbsp;[Intrusion Set](THREAT ACTOR operating <strong>ALPHV<\/strong> and its affiliates\u2019 modus operandi)<\/h4>\n<!-- \/divi:heading -->\n\n<!-- divi:paragraph -->\n<p>Here is <a href=\"https:\/\/mitre-attack.github.io\/attack-navigator\/#layerURL=https:\/\/raw.githubusercontent.com\/Intrinsec\/IOCs\/main\/Ransomware-group_ALPHV_BLACKCAT_NOBERUS\/AlphV_intrusion_set_ATT%26CK_Navigator.4.5.5_layer_4.3.json\">a JSON file format compatible with the MITRE ATT&amp;CK Navigator<\/a> of shared TTPs of both representative payloads targeting Linux \/ Windows systems as well as the operator and affiliates modus operandi reported so far. It is interesting to note that by pivoting on their public DLS we found a section dedicated to <strong>ALPHV<\/strong> affiliates that provides a procedure on how to leverage the ransomware payloads on different operating systems upon an attack (see appendix).<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:table {\"className\":\"is-style-stripes\"} -->\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>Tactic<\/strong><\/td><td><strong>Technique<\/strong><\/td><td><strong>Procedure<\/strong><\/td><\/tr><tr><td>Execution <br>[<a href=\"https:\/\/attack.mitre.org\/tactics\/TA0002\/\">TA0002<\/a>]<\/td><td>System Services:&nbsp; Service Execution<a href=\"https:\/\/attack.mitre.org\/techniques\/T1569\/002\/\">[T1569.002]<\/a><br><br><br> Command and Scripting Interpreter:&nbsp;Windows Command Shell <a href=\"https:\/\/attack.mitre.org\/techniques\/T1059\/003\/\">[T1053.003]<\/a> <br><br> Windows Management Instrumentation <a href=\"https:\/\/attack.mitre.org\/techniques\/T1047\/\">[T1047]<\/a><br><br><br> Shared Modules <a href=\"https:\/\/attack.mitre.org\/techniques\/T1129\/\">[T1129]<\/a> <\/td><td><br>In some cases ransomware was deployed via <strong>ScreenConnect<\/strong> but also via <a href=\"https:\/\/attack.mitre.org\/software\/S0029\/\"><strong>PSEXEC<\/strong><\/a><strong> <\/strong>(being embedded in the ransomware code after a compression via zlib). <strong>ALPHV<\/strong> uses significantly the remote administration tool <strong>PsExec<\/strong> <a href=\"https:\/\/attack.mitre.org\/techniques\/T1569\/002\/\">[T1035]<\/a>, as well as the PowerShell language <a href=\"https:\/\/attack.mitre.org\/techniques\/T1059\/001\/\">[T1086]<\/a><br><br><br>ALPHV can use the Windows command line to :<br>\u2022 Delete volume shadow copies and disable recovery<br>\u2022 Modify window registry<br><br>The adversary uses WMI to execute various behaviours, such as gathering information for Discovery<br><br><br>Fsutil was executed to modify the SymLink Evaluation behaviour to change the type of symbolic links that can be created on the system. Symbolic links create a file in a directory that acts as a shortcut to another file or folder<br><\/td><\/tr><tr><td> Credential access [<a href=\"https:\/\/attack.mitre.org\/versions\/v9\/tactics\/TA0006\/\">TA0006<\/a>]  <\/td><td> Adversary-in-the-Middle:&nbsp;LLMNR\/NBT-NS Poisoning and SMB Relay <a href=\"https:\/\/attack.mitre.org\/techniques\/T1557\/001\/\">[T1557.001]<\/a> <br><br><br> OS Credential Dumping:&nbsp;LSA Secrets &nbsp; <a href=\"https:\/\/attack.mitre.org\/techniques\/T1003\/004\/\">[T1003.004]<\/a>  <\/td><td>Symantec has reported suspicious Server Message Block (SMB) requests occurred onto the patient zero &nbsp; <br><br><br><br>Symantec has reported attempts of remote Local Security Authority (LSA) registry dump from a remote machine on the network upon an attack <\/td><\/tr><tr><td> Collection <a href=\"https:\/\/attack.mitre.org\/versions\/v10\/tactics\/TA0009\/\">[TA0009]<\/a> <\/td><td> Adversary-in-the-Middle:&nbsp;LLMNR\/NBT-NS Poisoning and SMB Relay <a href=\"https:\/\/attack.mitre.org\/techniques\/T1557\/001\/\">[T1557.001]<\/a> <\/td><td> Threat actors may have leveraged LLMNR\/NBT-NS Poisoning and SMB Relay sub-technique <\/td><\/tr><tr><td> Defense Evasion <a href=\"https:\/\/attack.mitre.org\/versions\/v10\/tactics\/TA0005\/\">[TA0005]<\/a> &nbsp; <\/td><td> <br><br>Impair Defenses:&nbsp;Disable or Modify Tools <a href=\"https:\/\/attack.mitre.org\/techniques\/T1562\/001\/\">[T1562.001]<\/a><br><br> Signed Binary Proxy Execution:&nbsp;CMSTP <a href=\"https:\/\/attack.mitre.org\/techniques\/T1218\/003\/\">[T1218.003]<\/a> <br><br><br> Modify Registry <a href=\"https:\/\/attack.mitre.org\/techniques\/T1112\/\">[T1112]<\/a> <br><\/td><td><br>According to Symantec the attackers disabled a restricted remote administration feature known as \u2018RestrictedAdmin mode\u2019 but also Windows defender &nbsp;  <br><br><br> Well-known technique to circumvent Windows\u2019 User Account Control (UAC) (see details in appendix) <br><br><br>Modification of the registry occurred upon an attack. According to <a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/noberus-blackcat-alphv-rust-ransomware\">Symantec<\/a> attackers were also seen to tweak the maximum limit of concurrent requests machines by modifying the Windows registry to further help spreading via PsExec. Please note that we found that this is actually a capacity of the ransomware itself and not a human-operated command (see Appendix) &nbsp; <\/td><\/tr><tr><td>  Discovery <a href=\"https:\/\/attack.mitre.org\/versions\/v10\/tactics\/TA0007\/\">[TA0007]<\/a> &nbsp;  <\/td><td>System Information Discovery <a href=\"https:\/\/attack.mitre.org\/techniques\/T1082\/\">[T1082]<\/a> <br><br><br> System Network Connections Discovery <a href=\"https:\/\/attack.mitre.org\/techniques\/T1049\/\">[T1049]<\/a> <br><br> Ingress Tool Transfer <a href=\"https:\/\/attack.mitre.org\/techniques\/T1105\/\">[T1105]<\/a>  <\/td><td><strong>ALPHV<\/strong> runs commands to collect system information via <strong>WMIC<\/strong>, in order to collect Universally Unique Identifiers (UUIDs) from each machine. These are then used to generate the \u2018access token\u2019 that makes up part of the unique Tor address victims are instructed to visit <br><br> <strong>ALPHV<\/strong> attempts to propagate via mounting hidden partitions thanks to the \u2018net use\u2019 command. As aforementioned admin credentials are embedded into the config file within the payload<br><br> <strong>ALPHV<\/strong> affiliates bring their own external&nbsp;<strong>tools<\/strong>&nbsp;into a compromised network  <\/td><\/tr><tr><td> Exfiltration <a href=\"https:\/\/attack.mitre.org\/versions\/v10\/tactics\/TA0010\/\">[TA0010]<\/a> <\/td><td> Exfiltration Over Web Service <a href=\"https:\/\/attack.mitre.org\/techniques\/T1567\/\">[T1567]<\/a> <\/td><td> Double extortion: exposure of sensitive data on a DLS<strong>. ALPHV leaks victim data not only if the victims do not pay, but also once Threat Intel teams accesses their chat logs or discusses their operations<\/strong>. This posture recalls recent threats proclaimed by several <strong>RaaS<\/strong> groups as chat logs were leaked and exposed by CTI teams and renowned cybersec journalists that weakened the leverage of the malicious negotiators <\/td><\/tr><tr><td>  Impact <a href=\"https:\/\/attack.mitre.org\/versions\/v10\/tactics\/TA0040\/\">[TA0040]<\/a> <\/td><td>Inhibit System Recovery <a href=\"https:\/\/attack.mitre.org\/techniques\/T1490\/\">[T1490]<\/a> <br><br> Data Destruction <a href=\"https:\/\/attack.mitre.org\/techniques\/T1485\/\">[T1485]<\/a> <br><br> Service Stop &nbsp;[<a href=\"https:\/\/attack.mitre.org\/techniques\/T1489\">T1489<\/a>] <br><br><br> Data Encrypted for Impact <a href=\"https:\/\/attack.mitre.org\/techniques\/T1486\/\">[T1486]<\/a> <br><br> Network Denial of Service <a href=\"https:\/\/attack.mitre.org\/techniques\/T1498\/\">[T1498]<\/a>  <\/td><td> According to <a href=\"https:\/\/twitter.com\/malwrhunterteam\/status\/1473251193514340361\">@malwrhunterteam<\/a> this could be the first <strong>ransomware<\/strong> that does <strong>VM snapshots cleaning<\/strong>.&nbsp; The latter deletes also <strong>shadow copies and the Recycle Bin<\/strong> <br><br> According to <a href=\"https:\/\/twitter.com\/vxunderground\/status\/1474050926906572802\">@vxunderground<\/a> the latter <strong>deletes decryption keys<\/strong> <br><br> As previously seen <strong>ALPHV<\/strong> payloads have the capability to stop services and kill processes to increase the impact (with the help of the&nbsp;<strong>EnumServicesStatusExW&nbsp;<\/strong>function to enumerate all the active services&nbsp;and deletes services if the service name matches the list present in the config file) <br><br> Simple extortion: encryption of sensitive data <br><br> Triple extortion: As an additional extortion method, the threat actors threaten to <strong>DDoS<\/strong> victims unless they pay a ransom <br><\/td><\/tr><\/tbody><\/table><\/figure>\n<!-- \/divi:table -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"malware-s-tool-s\">Malware(s)\/Tool(s)<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:list -->\n<ul><li><strong>ConnectWise<\/strong> (formerly known as <strong>ScreenConnect<\/strong>), that is a legitimate remote administration tool was leveraged. This tool was already seen abused in the past by other ransomcartels such as Revil upon the recent massive attack against <a href=\"https:\/\/unit42.paloaltonetworks.com\/revil-threat-actors\/\">Kaseya<\/a> and APTs since <a href=\"https:\/\/attack.mitre.org\/software\/S0591\/\">2016<\/a><\/li><li><strong>Another legitimate tool <\/strong><a href=\"http:\/\/keystore-explorer.org\/\"><strong>Keystore explorer<\/strong><\/a><strong> <\/strong>that can be used to create and navigate KeyStores via its intuitive graphical interface was <a href=\"https:\/\/github.com\/CyberSoldiers\/IOCs\/blob\/main\/BlackCat_Ransomware\">reported<\/a>. Though it is not yet clear if there is any link with <strong>ALPHV<\/strong> at this stage (see <a href=\"https:\/\/github.com\/CyberSoldiers\/IOCs\/issues\/1#issuecomment-1004744251\">here<\/a>), one could conjecture that this tool was leveraged to generate unique key pairs for each victim but should be considered as a false positive.<\/li><li><strong>7zip<\/strong> and <strong>Rclone<\/strong> were reported by <a href=\"https:\/\/www.speartip.com\/resources\/speartips-investigation-into-the-emerging-blackcat-ransomware\/\">SpearTip<\/a> as the toolset use for exfiltration of data<\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"vulnerabilities\">Vulnerabilities<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:list -->\n<ul><li><strong>No known vulnerabilities are yet reported<\/strong> to be leveraged by the affiliates of this <strong>RaaS<\/strong> program to the best of our knowledge. We should mention though that <strong>SentinelOne<\/strong> telemetry <a href=\"https:\/\/www.sentinelone.com\/labs\/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims\/\">indicated<\/a> \u201c<em>a<\/em><em> primary delivery of BlackCat is via 3rd party framework\/toolset (e.g., Cobalt Strike) or via exposed (and vulnerable) applications<\/em>\u201d<\/li><li>We should mention that other entry vector remain extensively used <strong>RDP<\/strong> brute force attacks or unsecure <strong>RDP\/VPN<\/strong> connections. It is also likely that this advanced threat actor, if not already, could rapidly leverage an Initial Access Broker to provide to its affiliates a foothold on a victim\u2019 network. Keep in mind that such <strong>Initial Access Brokers (IABs)<\/strong> could also leverage the last vulnerability that defrayed the chronicle being <strong>LOG4SHELL<\/strong><\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"course-of-action\">Course of action<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:heading {\"level\":4} -->\n<h4 id=\"h-avoid-iabs-or-affiliates-to-breach-into-your-network\">Avoid IABs or affiliates to breach into your network<\/h4>\n<!-- \/divi:heading -->\n\n<!-- divi:list -->\n<ul><li>Focus efforts on patching\/monitoring the most impactful flaws reported in information bulletins produced by Intrinsec CTI Team about last TTPs of such ecosystem (<em>PrintNightmare, Proxy|logon|Shell|Oracle, PetitPotam, LogShell, VMWare<\/em>)<\/li><li>Enable hardware MFA keys whenever possible on critical assets requiring the most protection<\/li><li>Identify then document an organization\u2019s people, information and in particular exposed assets such as VPN, RDP, web servers, etc\u2026 (<em>N.B.,<\/em> the latter shall always be up to date)<\/li><li>Train your teams to phishing &amp; social-engineering methods<\/li><li>Use a WAF to filter and monitor incoming web traffic (<em>N.B.,<\/em> the latter shall always be up to date) for web servers and apps<\/li><li>Reinforce the security monitoring of Windows workstations, with an EDR (or failing that, Sysmon), and a reinforced audit policy<\/li><li>Conduct vulnerability scans regularly on exposed servers to confirm whether or not it is vulnerable against known attack schemes<\/li><li>Reinforce perimeter filtering (email\/browsing) with sandboxing for all attachments and downloaded files, plus SSL inspection<\/li><li>Maintain and regularly assess a disaster recovery plan, including global backup capabilities (onsite and offsite)<\/li><li>Reinforce authentication with strong authentication means wherever possible, password strength policy plus audit in place, and log forwarding to the SIEM<\/li><li>Do not forget BYOD security management: security policies deployment and enforcement, compliancy, inventory, network access control<\/li><li>Cobalt Strike, being maybe the most prolific post-exploitation framework tool both leveraged not only by red teamers and top-tier RaaS affiliates but also by several APTs, it is worth putting efforts to become capable of <a href=\"https:\/\/thedfirreport.com\/2022\/01\/24\/cobalt-strike-a-defenders-guide-part-2\/\">detecting<\/a> its <a href=\"https:\/\/www.cobaltstrike.com\/features\/\">capabilities<\/a><\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:heading {\"level\":4} -->\n<h4 id=\"h-detect-alphv-affiliates-before-your-data-gets-exfiltrated-and-then-encrypted\">Detect <strong>ALPHV<\/strong> affiliates before your data gets exfiltrated and then encrypted<\/h4>\n<!-- \/divi:heading -->\n\n<!-- divi:list -->\n<ul><li>Craft fake documents (financial, cyber insurance, employee data falling under GDPR) that will beacons back alerting blue teams only with very high rates of true positives thanks to <a href=\"https:\/\/docs.canarytokens.org\/\">Canarytokens<\/a><strong>.<\/strong> As such, Incident Response teams would be more efficient in preempting\/expelling threats by being involved at early stages of an attack<\/li><li>Monitor <a href=\"https:\/\/github.com\/Intrinsec\/IOCs\/blob\/main\/Ransomware-group_ALPHV_BLACKCAT_NOBERUS\/INTRINSEC_Alphv-Blackcat-Noberus_IOCs_07_01_2021.csv\">IOCs<\/a> &amp; <a href=\"https:\/\/github.com\/Intrinsec\/IOCs\/blob\/main\/Ransomware-group_ALPHV_BLACKCAT_NOBERUS\/Examples_of_commands_observed_upon_incident_response_against_ALPHV_ransomware.md\">commands<\/a> that we capitalized, vetted and made available on our <a href=\"https:\/\/github.com\/Intrinsec\/IOCs\/tree\/main\/Ransomware-group_ALPHV_BLACKCAT_NOBERUS\">GitHub<\/a>. Please note that if you are an Intrinsec SOC (Security Operation Center) customer, the IOCs related to this campaign are being integrated into our MISP<\/li><li>Block globally network &amp; system IOCs<\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:heading {\"level\":4} -->\n<h4 id=\"h-detect-alphv-affiliates-before-your-data-gets-encrypted-while-being-exfiltrated\">Detect <strong>ALPHV<\/strong> affiliates before your data gets encrypted while being exfiltrated<\/h4>\n<!-- \/divi:heading -->\n\n<!-- divi:list -->\n<ul><li>Ensure blue teams can carry out threat detection of <strong>RClone<\/strong> (leveraged by <strong>ALPHV<\/strong> for data exfiltration) with relevant Sigma rules such as <a href=\"https:\/\/research.nccgroup.com\/2021\/05\/27\/detecting-rclone-an-effective-tool-for-exfiltration\/\">here<\/a> and <a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/search?q=rclone\">here<\/a><\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:heading {\"level\":4} -->\n<h4 id=\"h-detect-alphv-affiliates-while-encrypting-data-to-reduce-the-impact\">Detect <strong>ALPHV<\/strong> affiliates while encrypting data to reduce the impact<\/h4>\n<!-- \/divi:heading -->\n\n<!-- divi:list -->\n<ul><li>It is worth mentioning here that an open-source tool has been recently developed by the CTO of Nextron Florian Roth for deception purposes (available on <a href=\"https:\/\/github.com\/Neo23x0\/Raccine\">GitHub<\/a>). Named \u201cRaccine\u201d, this tool can detect and stop any Windows process trying to delete the shadow volumes on a system that can be triggered by <strong>ALPHV<\/strong> payloads or by other similar type of threats.<\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:heading {\"textColor\":\"vivid-red\"} -->\n<h2 class=\"has-vivid-red-color has-text-color\" id=\"references\">References:<\/h2>\n<!-- \/divi:heading -->\n\n<!-- divi:list -->\n<ul><li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/alphv-blackcat-this-years-most-sophisticated-ransomware\/\"><em>https:\/\/www.bleepingcomputer.com\/news\/security\/<strong>ALPHV<\/strong>-blackcat-this-years-most-sophisticated-ransomware\/<\/em><\/a><em><\/em><\/li><li><a href=\"https:\/\/github.com\/cdong1012\/Rust-Ransomware\"><em>https:\/\/github.com\/cdong1012\/Rust-Ransomware<\/em><\/a><em><\/em><\/li><li><a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/noberus-blackcat-alphv-rust-ransomware\"><em>https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/noberus-blackcat-<strong>ALPHV<\/strong>-rust-ransomware<\/em><\/a><em><\/em><\/li><li><a href=\"https:\/\/medium.com\/s2wblog\/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809\"><em>https:\/\/medium.com\/s2wblog\/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809<\/em><\/a><em><\/em><\/li><li><a href=\"https:\/\/id-ransomware.blogspot.com\/2021\/12\/blackcat-ransomware.html\"><em>https:\/\/id-ransomware.blogspot.com\/2021\/12\/blackcat-ransomware.html<\/em><\/a><em><\/em><\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:paragraph -->\n<p><em><br><\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:heading {\"textColor\":\"vivid-red\"} -->\n<h2 class=\"has-vivid-red-color has-text-color\" id=\"appendix\">Appendix<\/h2>\n<!-- \/divi:heading -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"malware-information\">Malware information<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:heading {\"level\":4} -->\n<h4 id=\"h-ttps-of-a-windows-payload\">[TTPs of a WINDOWS\u2019 payload]<\/h4>\n<!-- \/divi:heading -->\n\n<!-- divi:paragraph -->\n<p><a href=\"https:\/\/mitre-attack.github.io\/attack-navigator\/#layerURL=https:\/\/raw.githubusercontent.com\/Intrinsec\/IOCs\/main\/Ransomware-group_ALPHV_BLACKCAT_NOBERUS\/AlphV_ransomware_targeting_windows_ATT%26CK_Navigator.4.5.5_layer_4.3.json\">A JSON file format compatible with the MITRE ATT&amp;CK Navigator<\/a> highlights shared Tactics, Techniques and Procedures (TTPs) according to the <strong>MITRE ATT&amp;CK framework<\/strong> of a representative payload targeting <strong>Windows<\/strong> systems leveraged by <strong>ALPHV<\/strong>.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>As far as registry key modification is concerned, a reverse engineering analysis showed that ALPHV ransomwares targeting Windows embed the following command (see Figure 15):<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters \/v MaxMpxCt \/d 65535 \/t REG_DWORD \/fenum_serv&rsquo;<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222540,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/11.png\" alt=\"\" class=\"wp-image-222540\"\/><figcaption><em>Figure 15 : Screenshot highlighted the registry key adding in ransomware code aiming at exalting the spreading via PsExec upon the attack.<\/em><\/figcaption><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:paragraph -->\n<p>In some of those <a href=\"https:\/\/www.virustotal.com\/gui\/file\/c8b3b67ea4d7625f8b37ba59eed5c9406b3ef04b7a19b97e5dd5dab1bd59f283\">payloads<\/a>, a reverse engineering analysis unravelled attempts to bypass Windows User Account Control (UAC) to stealthy execute code with elevated permissions <a href=\"https:\/\/attack.mitre.org\/techniques\/T1218\/003\/\">[T1218.003]<\/a>. This technique is also known as the COM Elevation Moniker that allows running applications under UAC to activate COM classes with elevated privileges. More precisely, we found a globally unique identifier (CLSID) {3E5FC7F9-9A51-4367-9063-A120244FBEC7} (128-bit hexadecimalnumbers within a pair of curly braces can be retrieved in the registry path <em>\u201cWorkstationHKEY_LOCAL_MACHINESOFTWAREClassesAppID{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\u201d) <\/em>&nbsp;that could be associated with the Cmstplua.dll (aka Connection Manager Admin API Helper for Setup). Such CLSID is usually leveraged for <a href=\"https:\/\/attack.mitre.org\/techniques\/T1218\/003\/\">detecting bypass UAC via an auto-elevated COM interface<\/a>.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>In the same vein as was reported by <a href=\"https:\/\/news.sophos.com\/en-us\/2020\/04\/24\/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze\/\">Sophos<\/a> in April 2020 in the case of LockBit 2.0 ransomware, ALPHV will ensure to exalt damages by checking whether or not its process owns Administrator rights (via OpenProcessToken function). If not the latter masquerades as Windows Explorer (explorer.exe) by calling CoInitializeEx (initializing the COM library). &nbsp;Then, the hex value CLSID is added to the moniker and executed. We also found another typical string referred to as \u201cevation:Administrator!new:\u201d that is similar to the expected value \u201cElevation:Administrator!new:\u201d as indicated in the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/com\/the-com-elevation-moniker\">Microsoft documentation<\/a>, which allows apps running under UAC to activate COM classes with elevated privileges (see Figure 16) :<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222541,\"width\":819,\"height\":328,\"sizeSlug\":\"full\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/12.png\" alt=\"\" class=\"wp-image-222541\" width=\"819\" height=\"328\"\/><figcaption><em>Figure 16 : UAC bypass via the COM Elevation Moniker.<\/em><\/figcaption><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:paragraph -->\n<p>Such UAC bypass capability was previously seen in the threat landscape embedded into ransomwares such as <a href=\"https:\/\/dissectingmalwa.re\/try-not-to-stare-medusalocker-at-a-glance.html\">MedusaLocker<\/a>, <a href=\"https:\/\/www.sciencedirect.com\/science\/article\/pii\/S0167404821002121?dgcid=rss_sd_all\">Avaddon<\/a>, <a href=\"https:\/\/www.hhs.gov\/sites\/default\/files\/revil-update-tlpwhite.pdf\">Revil<\/a>, <a href=\"https:\/\/www.mandiant.com\/resources\/shining-a-light-on-darkside-ransomware-operations\">Darkside<\/a>, <a href=\"https:\/\/www.nozominetworks.com\/blog\/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs\/\">BlackMatter<\/a>. Note that strong TTP overlapping was reported between <a href=\"https:\/\/www.mandiant.com\/resources\/chasing-avaddon-ransomware\">MedusaLocker and Avaddon<\/a> but also Darkside and BlackMater as aforementioned.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:heading {\"level\":4} -->\n<h4 id=\"h-ttps-of-a-linux-payload\">&nbsp;[TTPs of a LINUX\u2019 payload]<\/h4>\n<!-- \/divi:heading -->\n\n<!-- divi:paragraph -->\n<p>In the same vein here is <a href=\"https:\/\/mitre-attack.github.io\/attack-navigator\/#layerURL=https:\/\/raw.githubusercontent.com\/Intrinsec\/IOCs\/main\/Ransomware-group_ALPHV_BLACKCAT_NOBERUS\/AlphV_ransomware_targeting_linux_ATT%26CK_Navigator.4.5.5_layer_4.3.json\">a JSON file format compatible with the MITRE ATT&amp;CK Navigator<\/a> of the shared <strong>TTPs<\/strong> of a representative payload targeting <strong>Linux<\/strong> systems (<strong>VMWare ESXi<\/strong>).<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:heading {\"level\":4} -->\n<h4>Malware Behaviour Catalog (<a href=\"https:\/\/vb2020.vblocalhost.com\/uploads\/VB2020-Beck.pdf\">MBC<\/a>)<\/h4>\n<!-- \/divi:heading -->\n\n<!-- divi:paragraph -->\n<p>MBCobjectives and behaviours of representative<strong> ALPHV Linux &amp; Windows ransomware samples <\/strong>are available in our <a href=\"https:\/\/github.com\/Intrinsec\/IOCs\/tree\/main\/Ransomware-group_ALPHV_BLACKCAT_NOBERUS\">GitHub<\/a>. MBC mappings was generated via the <a href=\"https:\/\/github.com\/mandiant\/capa\">MANDIANT&rsquo;s open-source tool<\/a> capa.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"threat-actor\">Threat actor<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:heading {\"level\":4} -->\n<h4><strong>RaaS<\/strong> program announcement (published on RAMP underground forum)<\/h4>\n<!-- \/divi:heading -->\n\n<!-- divi:paragraph -->\n<p><strong><em>INTRO<\/em><\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>We are glad to welcome you to our affiliate program.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>We have taken into account all the advantages and disadvantages of previous partner programs and are proud to bring you <\/em><strong><em>ALPHV<\/em><\/strong><em> &#8211; the next generation of ransomware.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>All software is written from scratch, the decentralization of all web resources is architecturally laid down. A unique onion domain is generated for each new company. For each advertiser, an entrance is provided through its own unique onion domain (hello LockBit).<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>Own datacenter for hosting leak files over 100 TB.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>We are already cooperating with top recovery companies that worked with darks, revils, etc.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>There is a support on chats, which sits 24 by 7, but if you wish, you can negotiate yourself.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><strong><em>SECURITY<\/em><\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>We are in every possible way ready for existence in modern conditions, meeting all the requirements for the security of infrastructure and advertisements. In the affiliate program all possible links with forums are architecturally excluded (hello revil), algorithms for self-deletion of data upon expiration of the limitation period are laid down, a built-in mixer is integrated with a real break in the chain (not to be confused with Wasabi, BitMix and others), because you get completely clean coins from foreign exchanges. The wallets to which your coins were sent are unknown for our backend. The infrastructure is fragmented into the so-called. nodes that are interconnected through a whole network of pads within the onion network and are located behind NAT + FW. Even when receiving a full-fledged cmdshell, the attacker will not be able to reveal the real IP address of the server. (hi Conti)<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><strong><em>SOFTWARE<\/em><\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>The software is written from scratch without using any templates or previously leaked source codes of other ransomware. The choice is offered:<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><strong><em>4 encryption modes:<\/em><\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>-Full &#8211; full file encryption. The safest and slowest.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>-Fast &#8211; encryption of the first N megabytes. Not recommended for use, the most unsafe possible solution, but the fastest.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>-DotPattern &#8211; encryption of N megabytes through M step. If configured incorrectly, Fast can work worse both in speed and in cryptographic strength.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>-Auto. Depending on the type and size of the file, the locker (both on windows and * nix \/ esxi) chooses the most optimal (in terms of speed \/ security) strategy for processing files.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>-SmartPattern &#8211; encryption of N megabytes in percentage steps. By default, it encrypts 10 megabytes every 10% of the file starting from the header. The most optimal mode in the ratio of speed \/ cryptographic strength.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>2 encryption algorithms:<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>-ChaCha20<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>-AES<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>In auto mode, the software detects the presence of AES hardware support (exists in all modern processors) and uses it. If there is no AES support, the software encrypts files ChaCha20.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>Cross-platform software, i.e. if you mount Windows disks in Linux or vice versa, the decryptor will be able to decrypt the files.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><strong><em>Supported OS:<\/em><\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>&#8211; All line of Windows from 7 and higher (tested by us on 7, 8.1, 10, 11; 2008r2, 2012, 2016, 2019, 2022); XP and 2003 can be encrypted over SMB.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>&#8211; ESXI (tested on 5.5, 6.5, 7.0.2u)<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>&#8211; Debian (tested on 7, 8, 9);<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>&#8211; Ubuntu (tested on 18.04, 20.04)<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>&#8211; ReadyNAS, Synology<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>Since recently binaries have been leaking to analysts, and premium VT allows you to download samples and receive readme in chats, random people may appear who can disrupt negotiations (hello darkside), when launching the software it is MANDATORY to use the &#8211;access-token flag. The cmdline arguments are not passed to the AVers, which will keep the privacy of the correspondence with the victim. For the same reason, each encrypted computer generates its own unique ID used to separate chats.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>There is a function of automatic downloading of files from the MEGA service, you give a link to the files, they are automatically downloaded to our servers.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>You can get a full description of all functionality in the FAQ section.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><strong><em>ACCOUNT<\/em><\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>If there is no activity for two weeks, your account will be frozen and subsequently deleted. To avoid this, we recommend that you notify the administration about possible vacations, pauses and other things.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>The rate is dynamic and depends on the amount of a single payment for each company, namely:<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>&#8211; up to 1.5M $ &#8211; 80%<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>&#8211; up to $ 3.0M &#8211; 85%<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>&#8211; from $ 3.0M &#8211; 90%<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>After reaching the $ 1.5M mark in terms of the sum of all payments on your account, you will have access to hosting services for files of companies&rsquo; leaks, dialing and DDoS&rsquo;a absolutely free.<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3>&nbsp;<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"FAQ\">FAQ dedicated to its affiliates (published on the public DLS of <strong>ALPHV<\/strong>)<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:paragraph -->\n<p><strong><em>Wed Nov 17 2021<\/em><\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>How &#8211; To<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>How to start a locker on ESXi or * nix?<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:list {\"ordered\":true,\"type\":\"1\"} -->\n<ol type=\"1\"><li><em>Downloading the build via scp<\/em><\/li><\/ol>\n<!-- \/divi:list -->\n\n<!-- divi:paragraph -->\n<p><strong><em>&nbsp;&nbsp;&nbsp; scp sample_alfa_x86_64_linux_encrypt_app root@10.0.0.1:\/tmp\/<\/em><\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:list -->\n<ul><li><em>We go via ssh and give execution rights<\/em><\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:paragraph -->\n<p><strong><em>&nbsp;&nbsp;&nbsp; cd \/tmp\/ &amp;&amp; chmod +x sample_alfa_x86_64_linux_encrypt_app&nbsp;<\/em><\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:list -->\n<ul><li><em>Launch the locker <strong>ALWAYS<\/strong> with the token (obtained when creating the build) and in the background ( <strong>&amp;<\/strong> )<\/em><\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:paragraph -->\n<p><em>&nbsp;&nbsp;&nbsp; <strong>\/tmp\/sample_alfa_x86_64_linux_encrypt_app &#8211;access-token XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&amp;&nbsp;<\/strong><\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:list -->\n<ul><li><em>To display the speed and encryption process, override the functions specified when creating the build, you can use the flags:<\/em><\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:paragraph -->\n<p><em>-p, &#8211;paths &lt;PATHS&gt; &#8211; forced indication of paths<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>-v, &#8211;verbose &#8211; output the log to the console<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>&#8211;no-vm-kill &#8211; do not stop VM (use if VMs are manually stopped, otherwise VM files will not be encrypted)<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>&#8211;no-vm-snapshot-kill &#8211; do not delete snapshots (use if snapshots were manually removed)<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>&#8211;ui &#8211; launch with a graphical interface<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><strong><em>How to run Windows locker on one PC?<\/em><\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:list {\"ordered\":true,\"type\":\"1\"} -->\n<ol type=\"1\"><li><em>Load the build and run cmd \/ powershell from the administrator, go to the folder with the locker and start ALWAYS with the token (obtained when creating the build)<\/em><\/li><\/ol>\n<!-- \/divi:list -->\n\n<!-- divi:paragraph -->\n<p><strong><em>.\/sample_alfa_x86_64_linux_encrypt_app.exe &#8211;access-token XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&nbsp; <\/em><\/strong><em><\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:list -->\n<ul><li><em>To display the speed and encryption process, override the functions specified when creating the build, you can use the flags:<\/em><\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:paragraph -->\n<p><em>-p, &#8211;paths &lt;PATHS&gt; &#8211; forced indication of paths<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>-v, &#8211;verbose &#8211; output the log to the console<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>&#8211;no-net &#8211; do not encrypt network shares<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>&#8211;no-prop &#8211; do not use the worm&rsquo;s functionality (self-propagation by getting a list of ip in the arp table and trying to psexec with accounts hammered in for impersonation)<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>&#8211;ui &#8211; launch with a graphical interface<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><strong><em>How to run Windows locker on one PC using drag and drop?<\/em><\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:list {\"ordered\":true,\"type\":\"1\"} -->\n<ol type=\"1\"><li><em>Load the build and run cmd \/ powershell as administrator, go to the folder with the locker and start ALWAYS with the token (obtained when creating the build) and the flag <strong>&#8211;drag-and-drop-target&nbsp;<\/strong><\/em><\/li><\/ol>\n<!-- \/divi:list -->\n\n<!-- divi:paragraph -->\n<p><strong><em>&nbsp;&nbsp;&nbsp; .\/sample_alfa_x86_64_linux_encrypt_app.exe &#8211;access-token XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX &#8211;drop-drag-and-drop-target<\/em><\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:list -->\n<ul><li><em>A .bat file will appear in the folder with the locker, onto which you can drag files, folders, disks, etc.<\/em><\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:paragraph -->\n<p><strong><em>How to run Windows locker in the whole domain?<\/em><\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:list {\"ordered\":true,\"type\":\"1\"} -->\n<ol type=\"1\"><li><em>Load the build on the <strong>PDC<\/strong> and run cmd \/ powershell as administrator, go to the folder with the locker and copy it to C:  WINDOWS  sysvol  sysvol  * yourdomain *  scripts<\/em><\/li><\/ol>\n<!-- \/divi:list -->\n\n<!-- divi:paragraph -->\n<p><strong><em>copy sample_alfa_x86_64_linux_encrypt_app.exe C:WINDOWSsysvolsysvol*yourdomain*scriptslocker.exe&nbsp;<\/em><\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>* The locker.exe file must be accessible via \\ yourdomain  netlogon  locker.exe&nbsp;<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:list -->\n<ul><li><em>In the group policy editor, change the Default Group Policy or create a new one and link to Default.<\/em><\/li><li><em>Change Computer \/ User Configuration &gt; Preferences &gt; Control Panel Settings &gt; Scheduled Tasks<\/em><\/li><li><em>When creating a new task on the General tab, fill in the name, description (optional), tick the Run with highest privileges checkbox and select the user SYSTEM<\/em><\/li><li><em>On the Actions tab, click New and fill in the fields as follows:<\/em><\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:paragraph -->\n<p><em>Action \u2192 Start a program&nbsp;<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>Program\/script \u2192 cmd.exe&nbsp;&nbsp;<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>Add arguments(optional) \u2192 \/c \\yourdomainnetlogonlocker.exe &#8211;access-token XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&nbsp;<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><em>Start in (optional) \u2192 leave blank<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:list -->\n<ul><li><em>We accept all changes through apply \/ ok and close the group policy editor.<\/em><\/li><li><em>On the PDC, we execute the gpupdate \/ force command, after a while the network will begin to be encrypted.<\/em><\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:paragraph -->\n<p><em>A complete list of functions is available via -h, &#8211;help<\/em><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:heading {\"level\":3} -->\n<h3 id=\"domain\">Domain analysis of the ALPHV\u2019s infrastructure<\/h3>\n<!-- \/divi:heading -->\n\n<!-- divi:paragraph -->\n<p>When investigating first the status of the host (resolved by the IP address <em>141.136.44[.]54<\/em>), the latter was found to be up and located in Lithuania Vilnius. Besides, all common ports are securely filtered or closed but the 80 (http), amongst which, a RDP port is available and very often used as the entry vector by brute forcing weak accounts. Passive HTTP server banners reveals that the attacker has set up an Apache server (with a current version installed being 2.4.29 though a <a href=\"https:\/\/httpd.apache.org\/download.cgi#apache24\">2.4.52<\/a>&nbsp;version was released the 2021-12-20) on an Ubuntu Linux distribution. The attackers have added a module to compress the traffic as shown by a passive analysis of the banners (content-encoding: gzip), most likely to lure malware scanners and keep surmise while upload\/download operations get faster.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>We found two domains that resolved to that the given IP address:<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><strong>support-global-it-ss[.]com<\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p><strong>hosting-global-it-ss[.]com<\/strong><strong><\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:paragraph -->\n<p>The homepages indicates that those websites proposes IT support services, which seem to belong to the same structure and could be legitimate. No direct link with the malicious activities emanating from the given IP could be established.<\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:separator -->\n<hr class=\"wp-block-separator\"\/>\n<!-- \/divi:separator -->\n\n<!-- divi:image {\"align\":\"center\",\"id\":222558,\"width\":178,\"height\":114,\"sizeSlug\":\"large\",\"linkDestination\":\"none\"} -->\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2022\/01\/undraw_Software_engineer_re_fyew-1024x655.png\" alt=\"\" class=\"wp-image-222558\" width=\"178\" height=\"114\"\/><\/figure><\/div>\n<!-- \/divi:image -->\n\n<!-- divi:paragraph {\"align\":\"center\",\"fontSize\":\"normal\"} -->\n<p class=\"has-text-align-center has-normal-font-size\"><strong>Do you want to know more about adversaries\u2019 TTPs and emerging threats targeting your organization? Our CTI team has a solution dedicated to producing knowledge on cyber threats through two complementary offers :<\/strong><\/p>\n<!-- \/divi:paragraph -->\n\n<!-- divi:list {\"fontSize\":\"normal\"} -->\n<ul class=\"has-normal-font-size\"><li>Information reports : a continuous <a href=\"https:\/\/www.intrinsec.com\/veille-cybersecurite\/\">monitoring service<\/a> of the main cyber threats (vulnerabilities and attack campaigns)<\/li><li>Sector intelligence papers : produced on a weekly or monthly basis and informing you about the threats targeting your industry (last attack campaigns, incident response sharing of experience and evolution of the cybercriminal ecosystem)<br><\/li><\/ul>\n<!-- \/divi:list -->\n\n<!-- divi:paragraph {\"align\":\"center\",\"fontSize\":\"normal\"} -->\n<p class=\"has-text-align-center has-normal-font-size\"> <strong>If you wish to know <a href=\"https:\/\/www.intrinsec.com\/cyber-threat-intelligence\/\">more about our solutions<\/a>, please contact us at:&nbsp;<a href=\"mailto:contact@intrinsec.com\" rel=\"noreferrer noopener\" target=\"_blank\">contact@intrinsec.com<\/a> <\/strong><\/p>\n<!-- \/divi:paragraph -->[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]\n\n\n\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":222598,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-222523","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bulletin-danalyse"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v28.0 (Yoast SEO v28.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>ALPHV ransomware gang analysis - INTRINSEC<\/title>\n<meta name=\"description\" content=\"ALPHV (or BlackCat or Noberus) ransomware emerged only last December and is already considered as a genuine threat that blue teams should be ready to fight against while little is known on the employed entry vector(s).\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/alphv-ransomware-gang-analysis\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ALPHV ransomware gang analysis\" \/>\n<meta property=\"og:description\" content=\"ALPHV (or BlackCat or Noberus) ransomware emerged only last December and is already considered as a genuine threat that blue teams should be ready to fight against while little is known on the employed entry vector(s).\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/alphv-ransomware-gang-analysis\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2022-01-26T19:03:00+00:00\" \/>\n<meta name=\"author\" content=\"Intrinsec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:site\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Intrinsec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"45 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/alphv-ransomware-gang-analysis\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/alphv-ransomware-gang-analysis\\\/\"},\"author\":{\"name\":\"Intrinsec\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/ade590fbc7ad6f413727bae7cd3fb799\"},\"headline\":\"ALPHV ransomware gang analysis\",\"datePublished\":\"2022-01-26T19:03:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/alphv-ransomware-gang-analysis\\\/\"},\"wordCount\":8130,\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/alphv-ransomware-gang-analysis\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"articleSection\":[\"Bulletin d'analyse\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/alphv-ransomware-gang-analysis\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/alphv-ransomware-gang-analysis\\\/\",\"name\":\"ALPHV ransomware gang analysis - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/alphv-ransomware-gang-analysis\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/alphv-ransomware-gang-analysis\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"datePublished\":\"2022-01-26T19:03:00+00:00\",\"description\":\"ALPHV (or BlackCat or Noberus) ransomware emerged only last December and is already considered as a genuine threat that blue teams should be ready to fight against while little is known on the employed entry vector(s).\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/alphv-ransomware-gang-analysis\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/alphv-ransomware-gang-analysis\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/alphv-ransomware-gang-analysis\\\/#primaryimage\",\"url\":\"\",\"contentUrl\":\"\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/alphv-ransomware-gang-analysis\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ALPHV ransomware gang analysis\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\",\"name\":\"INTRINSEC\",\"alternateName\":\"ISEC\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"width\":1322,\"height\":1322,\"caption\":\"INTRINSEC\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/Intrinsec\",\"https:\\\/\\\/fr.linkedin.com\\\/company\\\/intrinsec\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC0trUZAHNZOUbxYnNdecM4A\"],\"description\":\"soci\u00e9t\u00e9 de consulting, pure player cybers\u00e9curit\u00e9 fran\u00e7ais et europ\u00e9en depuis plus de 30ans, sp\u00e9cialiste dans la s\u00e9curit\u00e9 offensive & audit (pentest\\\/red team), GRC, et services IMSS comme le SOC, CTI et CERT Intrinsec est qualifi\u00e9 PASSI Elev\u00e9, PRIS Elev\u00e9 et PACS par l'ANSSI\",\"email\":\"contact@intrinsec.com\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/ade590fbc7ad6f413727bae7cd3fb799\",\"name\":\"Intrinsec\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g\",\"caption\":\"Intrinsec\"},\"sameAs\":[\"https:\\\/\\\/www.intrinsec.com\"],\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/ufhtbqccsz\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"ALPHV ransomware gang analysis - INTRINSEC","description":"ALPHV (or BlackCat or Noberus) ransomware emerged only last December and is already considered as a genuine threat that blue teams should be ready to fight against while little is known on the employed entry vector(s).","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/alphv-ransomware-gang-analysis\/","og_locale":"en_US","og_type":"article","og_title":"ALPHV ransomware gang analysis","og_description":"ALPHV (or BlackCat or Noberus) ransomware emerged only last December and is already considered as a genuine threat that blue teams should be ready to fight against while little is known on the employed entry vector(s).","og_url":"https:\/\/www.intrinsec.com\/en\/alphv-ransomware-gang-analysis\/","og_site_name":"INTRINSEC","article_published_time":"2022-01-26T19:03:00+00:00","author":"Intrinsec","twitter_card":"summary_large_image","twitter_creator":"@Intrinsec","twitter_site":"@Intrinsec","twitter_misc":{"Written by":"Intrinsec","Est. reading time":"45 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/alphv-ransomware-gang-analysis\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/alphv-ransomware-gang-analysis\/"},"author":{"name":"Intrinsec","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/ade590fbc7ad6f413727bae7cd3fb799"},"headline":"ALPHV ransomware gang analysis","datePublished":"2022-01-26T19:03:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/alphv-ransomware-gang-analysis\/"},"wordCount":8130,"publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"image":{"@id":"https:\/\/www.intrinsec.com\/alphv-ransomware-gang-analysis\/#primaryimage"},"thumbnailUrl":"","articleSection":["Bulletin d'analyse"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/alphv-ransomware-gang-analysis\/","url":"https:\/\/www.intrinsec.com\/alphv-ransomware-gang-analysis\/","name":"ALPHV ransomware gang analysis - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/alphv-ransomware-gang-analysis\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/alphv-ransomware-gang-analysis\/#primaryimage"},"thumbnailUrl":"","datePublished":"2022-01-26T19:03:00+00:00","description":"ALPHV (or BlackCat or Noberus) ransomware emerged only last December and is already considered as a genuine threat that blue teams should be ready to fight against while little is known on the employed entry vector(s).","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/alphv-ransomware-gang-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/alphv-ransomware-gang-analysis\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/alphv-ransomware-gang-analysis\/#primaryimage","url":"","contentUrl":""},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/alphv-ransomware-gang-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"ALPHV ransomware gang analysis"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.intrinsec.com\/#organization","name":"INTRINSEC","alternateName":"ISEC","url":"https:\/\/www.intrinsec.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","width":1322,"height":1322,"caption":"INTRINSEC"},"image":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/Intrinsec","https:\/\/fr.linkedin.com\/company\/intrinsec","https:\/\/www.youtube.com\/channel\/UC0trUZAHNZOUbxYnNdecM4A"],"description":"Intrinsec, a consulting firm and pure-play French and European cybersecurity provider for over 30 years, specializes in offensive security and auditing (penetration testing\/red teams), GRC, and IMSS services such as SOC, CTI, and CERT. Intrinsec is qualified at PASSI High, PRIS High, and PACS levels by ANSSI.","email":"contact@intrinsec.com"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/ade590fbc7ad6f413727bae7cd3fb799","name":"Intrinsic","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g","caption":"Intrinsec"},"sameAs":["https:\/\/www.intrinsec.com"],"url":"https:\/\/www.intrinsec.com\/en\/author\/ufhtbqccsz\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/222523","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=222523"}],"version-history":[{"count":0,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/222523\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=222523"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=222523"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=222523"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}