The BlackCat (ALPHV) ransomware group has exhibited an evolved modus operandi, leveraging stolen Microsoft accounts and a recently discovered encryptor known as Sphynx to target Azure cloud storage.
During a comprehensive investigation, cybersecurity experts from Sophos X-Ops incident response team unearthed a notable development.
The attackers have embraced a new variant of the Sphynx encryptor, enhancing it with the capability to employ custom credentials. This newfound versatility allowed the threat actors to gain unauthorized access to Sophos Central accounts.
The breach began with the illicit acquisition of a One-Time Password (OTP), pilfered from the victim’s LastPass vault via the LastPass Chrome extension. Subsequently, the attackers proceeded to disable Tamper Protection and manipulate security policies, demonstrating a comprehensive understanding of their target’s defenses.
With this elevated access, the attackers systematically encrypted both the victim’s local systems and remote Azure cloud storage, affixing the distinctive “.zk09cvt” extension to all compromised files. In total, the ransomware operators successfully encrypted 39 Azure Storage accounts.
The assailants employed a stolen Azure key to infiltrate the victim’s Azure portal, thereby gaining entry to the targeted storage accounts. Notably, these keys were encoded using Base64 and injected into the ransomware binary, highlighting a deliberate effort to obfuscate their actions.
To facilitate their intrusion, the attackers utilized a range of Remote Monitoring and Management (RMM) tools, including AnyDesk, Splashtop, and Atera. This multi-faceted approach speaks to their tactical sophistication and adaptability.
It is worth noting that Sophos initially identified the Sphynx variant in March 2023 during an investigation into a data breach, which bore striking similarities to an attack detailed in an IBM-Xforce report published in May. This synergy underscores the coordinated evolution of cyber threats in the digital landscape.
Sphynx Uses Embeds the Remcom Hacking Tool
Microsoft, on its part, recently uncovered that the Sphynx encryptor embeds the Remcom hacking tool and the Impacket networking framework. These tools enable lateral movement within compromised networks, underscoring the ransomware group’s growing capabilities.
BlackCat/ALPHV, emerging in November 2021, is believed to be a rebrand of DarkSide/BlackMatter, previously known as DarkSide until its rebranding in July 2021. The group gained notoriety after breaching Colonial Pipeline, prompting global scrutiny.
Their operations were disrupted in November 2021 following law enforcement server seizures and the development of a decryption tool by security firm Emsisoft.
This ransomware group consistently ranks among the most sophisticated and high-profile threats targeting enterprises on a global scale. They continually adapt and refine their tactics, as demonstrated by recent developments.
For instance, last summer, they adopted an extortion strategy involving a dedicated clear web website for leaking stolen data, providing victims and their stakeholders with insight into potential data exposure.
More recently, BlackCat introduced a data leak API in July, streamlining the dissemination of pilfered data. Additionally, one of the group’s affiliates, known as Scattered Spider, claimed responsibility for the recent attack on MGM Resorts.
They encrypted over 100 ESXi hypervisors after the company refused to negotiate a ransom payment.
The FBI, alert to the group’s activities, issued a warning last April, highlighting their involvement in successful breaches of over 60 entities worldwide between November 2021 and March 2022.
This underscores the persistent and evolving threat posed by BlackCat/ALPHV, necessitating a proactive and robust cybersecurity posture to mitigate their impact.