Recent BlackCat activity.
N2K logoDec 19, 2022

Discussion of the recent moves and activity of the BlackCat/ALPHV ransomware group.

Recent BlackCat activity.

The BlackCat/ALPHV ransomware group is showing some increased activity lately, including an attack on a Colombian energy supplier and the release of data from D.C.’s official convention and sports authority.

Attack on Colombian energy supplier.

BleepingComputer reports that Empresas Públicas de Medellín (EPM), an energy company in Colombia, fell victim to a ransomware attack orchestrated by the BlackCat ransomware group last Monday. The attack took the supplier’s online services down and disrupted company operations. How much data was stolen from one of Colombia’s largest public energy, water, and gas providers remains unclear as of the posting of this article, security researcher Germán Fernández notes that just over 40 devices were listed on the ExMatter tool of the threat actors, discovered via a malware analysis site.

Release of Events DC data.

Following an October cyberattack on Events DC in October, the BlackCat ransomware group published what they claim is approximately 80 gigabytes of data from the convention and sports authority on Thursday, the Washington Post reports. The released data, which the ransomware group claims are “internal Events DC files,” include incident and injury reports filed by customers impacted by the breach, contracts, board minutes, bank statements and tax forms for employees, city plans, and arena security. The documents have not been confirmed to be genuine by Events DC.

Expert commentary on countering BlackCat/ALPHV.

Daniel Mayer, a threat researcher at Stairwell, discusses the BlackCat/ALPHV group, and discusses measures that should be taken in the case of infiltration:

“ALPHV/BlackCat maintain a data leak site where they host stolen data to further extort all of their victims. Nothing is out of the ordinary with their data exfiltration tactics here. Although other versions of Exmatter analyzed have had evidence of data destruction capabilities, it looks like in this case it was merely used to exfiltrate data before deploying ALPHV ransomware. Stairwell’s threat research team talked with the ALPHV admin over a messaging service, where the admin stated they are planning to use data destruction as a tactic more when EDR prevents them from deploying ransomware. In our report on Exmatter, we illustrate how Exmatter is designed to corrupt file data using other files on the victim machine, potentially as a way to avoid EDR heuristics.

“These groups must be detected and ousted from a company’s network before they are at the point where they can deploy ransomware. This means detecting all the steps leading up to data extortion, such as phishing or the exploitation known vulnerabilities as the initial point of entry, the installation of remote administration tools or post-exploitation frameworks, and the escalation of privileges through credential dumping and lateral movement until they reach domain admin. All of these actions make noise that can be caught in a timely manner with adequate detection and hunting capabilities. A commonality amongst all ransomware intrusions is that the threat actor must become domain administrator to deploy their ransomware enterprise-wide. Having a product like Inception, which can monitor what files are being written to your domain controller in real time could help you know the second someone moves laterally onto that machine and deploys something like Cobalt Strike.”