Cyble-ALPHV-Ransomware

ALPHV Ransomware expands its Arsenal of Extortion techniques

Searchable Databases compound the risk of Supply Chain Attacks

ALPHV ransomware, also known as “Blackcat,” is a Rust programming language-based ransomware strain. It is also suspected to have links with members of the BlackMatter and DarkSide ransomware groups.

ALPHV ransomware operates on the Ransomware-as-a-Service (RaaS) model, enabling the affiliate to use pre-developed ransomware tools.  The group uses multiple extortion techniques, where the Threat Actor (TAs) initially exfiltrate the victim’s data and then encrypt it. If the victim fails to pay the ransom, the TA releases the data on their leak site.

The group now appears to have added a new extortion technique where they are providing leaked data in a searchable format.

We have witnessed a few threat groups in the past using searchable databases to extort their victims. The Karakurt data extortion group uses the same extortion technique, as shown in the figure below.

Figure 1 – Searchable Database created by Karakurt Data Extortion Group

Unlike the traditional extortion approach where TAs upload breached data on leak sites, certain TAs have also started providing the option to search for keywords in the uploaded data set.

On June 14, 2022, the ALPHV ransomware group posted sensitive details about one of their victims on their leak site. Along with their usual approach of uploading the stolen data on Tor sites, the group also created a website named victim_name.xyz for searching SSN, Date of Birth (DOB), and email of the victim organization’s employee (shown in Figure 2).

The TAs have used this as a way of slandering the victim organization. We have only come across a single victim targeted using this extortion technique so far.

Figure 2 – Post made by ALPHV ransomware

Recently, the ALPHV ransomware TAs have developed a different extortion technique, creating a tool called “ALPHV Collections” to search for keywords in leaked databases.

A researcher highlighted a message from the TAs stating their intent to create a searchable database, possibly from the data of victims who failed to pay the ransom.

The group stated that all the databases would be hosted under the same resource rather than creating dedicated sites for searching the victim’s details.

Figure 3 – Message posted by ALPHV ransomware

The figure below shows the searchable database created by ALPHV ransomware, which the TAs dub “ALPHV Collections.” This tool can perform file content, filename, and wildcard(*) based searches.

Figure 4 – ALPHV Collections site

Risk of Supply Chain Attacks

We have seen multiple incidents in the past where TAs have leveraged leaked credentials to carry out supply chain attacks. Similarly, ALPHV Collections can be leveraged by other TAs to perform reconnaissance on their future victims. Currently, the database is not populated with many records, but we can expect that to change in the future.

TAs can easily access user login credentials and leverage them to carry out attacks on victim organizations’ customers. The figure below shows RDP’s search results, which contain victims’ RDP login credentials.

Figure 5 – RDP credentials

The figure below shows the search result for passwords containing multiple plain text login credentials.  

Figure 6 – Plain text Login Credentials

ALPHV Collections have wide search capabilities. As the size of exfiltrated data in a ransomware attack can be huge, it is usually hosted over Tor. Downloading such databases, in some cases, can be a tedious process. This is where ALPHV Collections can assist TAs in searching for data points directly rather than downloading them, increasing the scope of an attack.

Conclusion

In less than a month, ALPHV ransomware has adopted two extortion techniques, highlighting how aggressively TAs are pushing to maximize their monetary gains. The recent technique includes a search operation on nearly complete leaked databases. However, the previous technique was restricted to only SSN, DOB, and email.

Data exfiltrated during ransomware attacks contains a wide set of files, and some of them tend to contain PII and plain text passwords, which other TAs can leverage to conduct further attacks. It is thus essential for an organization to proactively monitor for third-party data leaks.

Our Recommendations 

  • Monitor your organization for third-party breaches. 
  • Conduct security awareness training sessions frequently for employees. 
  • Segment the organization’s ecosystem to obfuscate access to all sensitive resources. 
  • Secure all third-party systems to prevent vulnerable third parties from becoming attack vectors. 
  • Never open untrusted links and suspicious email attachments without first verifying their authenticity.  
  • Backup data on different locations and implement Business Continuity Planning (BCP). 
  • Implement Data Loss Prevention (DLP), Anti-virus, Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM), and other security solutions. 
  • Regularly perform audits and Vulnerability Assessment and Penetration Testing (VAPT) of organizational assets, including networks and software. 
  • Implement a strict Identity and Access Management (IAM) policy. 
Scroll to Top