In late 2021, we observed a new ransomware operation named “ALPHV” (also known as BlackCat) emerge. The group operates as a ransomware-as-a-service (RaaS) program and much like other ransomware groups active today, it practices the double-extortion method, threatening to publish victims’ data on its data-leak website, in addition to encrypting their systems. What makes ALPHV unique is that the ransomware was written in the RUST programming language, making it the first ransomware group to successfully develop and use a RUST-based ransomware. Since ALPHV was released, the group has posted close to 100 victims to its data-leak site, and it remains highly active at the time of writing.
Over the past month, Digital Shadows has been closely monitoring ALPHV, due to the uniqueness of the group and its recent burst in activity, posting more than 30 organizations to its data-leak site over the past month. In this blog, we will cover the ALPHV affiliate program, explain how ALPHV operates, and the history of the group.
THE AFFILIATE PROGRAM
One of the first public appearances of ALPHV occurred on the RAMP cybercriminal forum on 09 Dec 2021, where a representative of the group promoted the ALPHV RaaS program and attempted to recruit affiliates. In this post, ALPHV operators advertised the new “ALPHV-ng (New Generation)” RaaS partner program, which they described as the next generation of ransomware. The ransomware had been written from scratch and have many features, including:
- Four encryption modes : full, fast, DotPattern, and Auto. It uses the two encryption algorithms ChaCha20 and AES.
- Infrastructure fragmented with nodes that are interconnected and located behind “NAT + FW”. The infrastructure is set up so that attackers will not reveal the real IP addresses of their servers when receiving cmdshells.
- Functional on different platforms including various versions of Linux (ESXI, Debian, Ubuntu, and ReadyNas) and all versions from Windows 7 and above.
- Generated “a unique onion domain” for “each new victim”
The representative also claimed that ALPHV had fixed gaps that other ransomware variants like “LockBit”, “REvil” , and “Conti” had not accounted for. They also alluded to their method for moving money with cryptocurrency, claiming that they have a “built-in mixer” that provides a break in tracking blockchain transactions.
The representative also stated that the group would not tolerate inactivity. Any affiliates who did not perform any activity for two weeks would have their accounts frozen and subsequently deleted. In addition, targeting of countries in the Commonwealth of Independent States (CIS) region was strictly prohibited, also including China, Taiwan, Hong Kong, and Turkey.
The payout rate for affiliates was described to be “dynamic” and “depend on the amount of a single payment from each company”:
- For ransom payments up to USD 1.5 million, affiliates earn 80% of the final ransom.
- For ransom payments up to USD 3 million, affiliates earn 85% of the final ransom.
- For ransom payments above USD 3 million, affiliates earn 90% of the final ransom.
ALPHV continued with its recruiting efforts since then, making posts seeking for “experienced pentesters, of the level you haven’t seen before” in December 2021, and a post seeking for initial access brokers (IABs) in March 2022. The group’s primary method of communication and recruiting remained the RAMP cybercriminal forum, which is a Russian-language forum that is focused on ransomware.
The affiliate program received positive feedback from users on RAMP. Digital Shadows observed many users on RAMP speaking highly about the professionalism of the group and effectiveness of its tools. For example, one user stated that ALPHV ransomware was a “very quality, comfortable, and quick software” and “the best” partner program they have ever worked with. However, other users were more skeptical and warned that ALPHV was not a partner program for beginners.
NOT SO RUST-Y – HOW ALPHV OPERATES
ALPHV likely uses multiple techniques to gain initial access to its target. As the RaaS program relies on affiliates to distribute its ransomware, these techniques are expected to differentiate depending on the affiliate. Common Initial access vectors include the exploitation of common vulnerabilities and compromised credentials. It is also likely that ALPHV affiliates are using access to compromised networks provided by initial access brokers, to gain a foothold in victims’ environments.
The FBI stated that ALPHV has been known to leverage compromised user credentials to gain initial access, and once it established that access, it compromised Active Directory user and admin accounts. The malware then used Windows Task Scheduler to deploy the ALPHV ransomware via malicious Group Policy Objects (GPOs). ALPHV leveraged PowerShell scripts and Cobalt Strike in its initial deployment, and it also leveraged Windows admin tools and Sysinternals during compromise.
ALPHV has also been observed using various additional evasion techniques to disable system defenses that may cause issues for the encryption process. To maintain persistent access in a victim’s environment, ALPHV carefully avoids shutting down critical processes and application folders.
ALPHV affiliates conducted reconnaissance within the compromised networks. This includes identifying sensitive data for exfiltration and high-value systems to encrypt. The ransomware then attempted to exfiltrate the victim’s information, including data stored by cloud providers, prior to encrypting data.
Following successful exfiltration and encryption of files and data, ALPHV leaves a customized ransom note behind (see Figure 1). The note details the amount and type of stolen data, instructions to contact the ransomware group and recover the data, and a URL for its data-leak website, where stolen files will be released if ransom demands are not met.
LINKS TO OTHER RANSOMWARE GROUPS
ALPHV has been associated with two other ransomware groups: DarkSide and BlackMatter. Design overlaps between ALPHV and DarkSide have prompted rumors that ALPHV was a rebrand of DarkSide following the latter’s high-profile attack on the Colonial Pipeline. On underground cybercriminal forums, the representative of the “LockBit” ransomware also initiated threads to state that ALPHV was a rebrand of DarkSide and BlackMatter RaaS programs.
While ALPHV denied to be a rebrand of DarkSide or BlackMatter, developers and money launderers from ALPHV are linked to DarkSide/BlackMatter, according to the FBI. Therefore, while ALPHV may not be a rebrand, it is likely that the group recruited many members from these now inactive ransomware gangs.
Links between ALPHV and other ransomware cannot be ascertained. As ALPHV is written in Rust, it is unlikely that ALPHV has code similarities with other types of ransomware written in other programming languages.
ALPHV had a strong start to its operations. In Q1 2022, Digital Shadows observed 582 organizations falling victim to ransomware double-extortion attacks. ALPHV accounted for 10.6% of all incidents during the quarter, making it one of the top 5 most active gangs during the quarter. If ALPHV continues this level of activity, it is likely that the group will become a big name in the ransomware threat landscape, like Conti, LockBit, and REvil.
Digital Shadows monitors ransomware groups like ALPHV on a daily basis, providing indicators of compromise (IoCs), a daily feed of victims, techniques and associations with the group, and an intuitive breakdown of targeting by sectors and geographies. You can sign up for our SearchLight platform to stay up-to-date with ransomware threats like ALPHV. Digital Shadows monitors more than 30 active ransomware data-leak sites, and this number is expected to continue growing. Our previous blog article Tracking Ransomware Within SearchLight shows you how SearchLight tracks emerging variants, enables you to export and block associated malicious indicators in various formats, instantly analyze popular targets, and map to your security controls with ease.