An FBI flash alert released this week suggests that the law enforcement agency has identified at least 60 ransomware attacks worldwide by the BlackCat (ALPHV) group between November 2021 and March 2022.
The flash alert highlights the tactics, techniques, and procedures (TTPs) employed and indicators of compromise (IOCs) associated with ransomware groups spotted during FBI investigations.
According to the FBI's Cyber Division, BlackCat also tracked as ALPHV and Noberus "is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing."
BlackCat's ransomware executable is also highly customizable and is loaded with several encryption methods and options that make it easy to adapt attacks to a wide range of industrial organizations.
"Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations," the FBI added.
Security researchers recently revealed an increased interest from BlackCat operators in targeting industrial organizations. BlackCat affiliates often demand ransom payments of millions of dollars, but they have been observed accepting lower payments after negotiations with their victims.
For initial access, the FBI explains, BlackCat employs compromised user credentials. Next, Active Directory user and administrator accounts are compromised and malicious Group Policy Objects (GPOs) are used to deploy the ransomware, but not before victim data is exfiltrated.
As part of observed BlackCat assaults, PowerShell scripts, Cobalt Strike Beacon, and authentic Windows tools and Sysinternals utilities have been used. The malicious actors were also seen disabling security features to move unhindered within the victim’s network.
As usual, the FBI recommends not paying the ransom, as this would not guarantee the recovery of compromised data, and urges organizations to proactively deploy cybersecurity defenses that can help them prevent ransomware attacks.
Since the start of the year, the notorious group has taken credit for ransomware attacks on US schools like Florida International University and North Carolina A&T University and has already breached dozens of US critical infrastructure organizations.
The group was first spotted in November 2021 and became known for aggressively posting details about its victims publicly. Emsisoft threat analyst Brett Callow and others previously said the group is a rebrand of the BlackMatter and DarkSide ransomware groups, something the FBI also highlighted in its notice.
