Content |
History
2024: State Department announces $10 million reward for ALPHV BlackCat information
On March 27, 2024, the US State Department announced a $10 million reward for information about ransomware hackers who caused billions of dollars in losses to the US health care system. We are talking about the hacker group ALPHV BlackCat, which carries out cyber attacks using ransomware viruses. Read more here.
2023: FBI hacked the infrastructure of Russian-speaking ransomware hackers, which angered them
In December 2023, the US Department of Justice announced[1] about hacking the infrastructure of the Russian-language hacker gang "Black Cat" (Blackcat, aka ALPHV, aka Noberus), which was the operator of the ransomware platform (Ransomware as-a-service - RaaS). The US intelligence services managed to gain access to the decryption keys, which allowed them to create tools for rebelling the IT infrastructure of companies that suffered from the actions of this cyber group. According to the FBI, which worked with dozens of victims of this group, the total amount of ransom claims for companies in the United States amounted to $68 million.
 | Today's announcement underscores the Justice Department's ability to combat even the most sophisticated and prolific cybercriminals, "Markenzie Lapointe, U.S. attorney for the Southern District of Florida, explained in a news release. - As a result of the tireless efforts of our office, together with the FBI in Miami, the U.S. Secret Service and our overseas law enforcement partners, we have provided Blackcat victims in the Southern District of Florida and around the world with the opportunity to get back on their feet and strengthen their digital defenses. We will continue to focus on holding the people behind the Blackcat ransomware group accountable for their crimes |  |
The business of RaaS service operators is that developers are preparing tools for encrypting and decrypting victims' IT systems, as well as infrastructure for pressuring victims and obtaining ransom. The very same actions to penetrate the corporate networks of victims, steal confidential information from it and launch ransomware on its nodes should be carried out by partners with whom the platform further shares the profits received.
However, the press release itself noted that the Black Cat cyberband was engaged not only in extortion to decrypt the infrastructure, but also in demanding a ransom for secret data, that is, the victim had to pay money for the fact that her secret or confidential data would not be published. Since the decryption tool has now been released, most likely, the secret information of the victim companies will apparently be posted on DarkWeb.
Although the group's main Tor site was intercepted by the FBI, and it is impossible to publish secrets on it, nevertheless, the group immediately created an alternative Tor site, on which its representatives reported, that law enforcement officers hacked only a blog and one node of their network, where there were about 400 keys, but the integrity of the rest was preserved, and they contain information about about 3 thousand victims who, as a result, will not receive decryption keys. In addition, the group announced that it was removing all rules on the choice of victims, except for one - not to attack companies in the CIS.
It should be noted that the activities of the group have not yet been recorded on the territory of Russia.
| | There are cases of attacks attributed by colleagues from the industry to this group, in the Middle East and in Latin America, - Pavel Kuznetsov, director of strategic alliances and interaction with state authorities of the Garda Group of Companies, explained for TAdviser. - According to the traces of their research and our own research, our competence center failed to detect activity on the territory of the Russian Federation, however, since ALPHVs operate on the principle of ransomware-as-a-service, it can be assumed that the situation may change at any time. | |
2022: Software update and addition of victim data corruption feature
The BlackCat group has updated its Exmatter data theft software and added an updated data corruption feature, dramatically changing the tactics of affiliate attacks. This became known on September 26, 2022.
This sample was discovered by analysts from the Cyberes information security company, and then transferred to the Stairwell threat research group for further analysis. Exmatter has been used by BlackMatter affiliates since at least October 2021, but this is the first time Exmatter has been seen with a data destruction module.
Experts at Cyderes said that as they files load on, server malefactor they are queued for processing by the Eraser class. An arbitrary size segment starting at the beginning of the second file is read into the buffer and then written to the beginning of the first file, overwriting it and corrupting the file.
This tactic of using data from one extracted file to corrupt another file may be an attempt to evade detection or heuristic analysis.
As Stairwell threat researchers found, Exmatter's data destruction capabilities are still in development, given the following:
- Exmatter does not have a mechanism to remove files from the queue, meaning some files can be overwritten many times before the program exits and others may never be selected for processing;
- The function that creates an instance of the Erase class is not fully implemented and is not properly decompiled. The length of the fragment of the second file, which is used to overwrite the first file, is randomly determined and can be as little as one byte.
The researchers believe the updated data corruption feature could replace traditional ransomware attacks, where data is stolen and then encrypted, with attacks in which data is stolen and then deleted or corrupted. This method, unlike the RaaS model, allows a hacker to take away all the income received from the attack, since he does not need to share a percentage with the ransomware developer.
With regular encryption, attackers have a risk that the victim will find a way to decrypt the data and not pay a ransom. Destroying sensitive data after it is exfiltrated to the hacker's server will prevent this and serve as an additional incentive for victims to pay a ransom, as well as the lack of an encryption stage speeds up the attack.
These factors lead affiliates to abandon the RaaS model in favor of ransomware that simply destroy data[2].
Notes
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |