What Happened

1. Late last year, ALPHV / Black Cat targeted MGM along with Scattered Spider
2. The FBI seized their servers in December 2023 -- they recovered
3. February 20th 2024, Lockbit (a separate ransomware group) servers were seized by US and UK Governments
4. February 21th, United Healthcare was ransomed
5. Reportedly, UnitedHealth's Change Healthcare paid the $22M ransom
6. March 5th, the exit scam begins – ALPHV posts Federal Takedown on their side
7. Allegedly admins stole the ransom from affiliates, offered source code for sale, and pretended to be taken down.

Context

Who is ALPHV?

ALPHV or BlackCat / Noberus is a ransomware strain first detected in November 2021. The operators are a Russian speaking group acting as a Ransomware as a Service (RASS) and are related to BlackMatter and DarkSide hacking groups. ALPHV advertises on dark web forums and private forums e.g. XSS. And for the engineers, ALPHV is an early malware adopter of Rust.

Context Ransomware Landscape

Ransomware gangs have had an exciting few years.

Conti was a notorious and prolific ransomware operator targeting banks, health services and more. During the 2022 Russia Invasion of Ukraine they had a division in their operations resulting in a leak of their own data and disbanding soon after.

Ransomware has gained traction and proliferation, attacking more and more victims, and targeting many operations across critical infrastructure from Financial Services to Healthcare. Governments have been stepping up their response from public safety, preparation and disruption. Most recently the Lockbit takedown or Operation Cronos was an incredibly coordinated effort from global law enforcement agencies to disrupt their servers and operations.

Notably ransomware groups exist in a volatile ecosystem with code leaks, internal politics and scams; groups can disband and reform as smaller, but less centralized, organizations. As global law enforcement agencies are showing a desire and ability to takedown ransomware groups, current ransomware operators have incentive to cash out or exit the ransomware ecosystem. However, historical activity implies a greater likelihood of new ransomware strains and group restructuring/reforming, rather than full closure of operations.

What’s next?

We expect the ransomware saga to continue this year with more fireworks. Despite the constant activity, some of the prevention measures remain the same

1. Data backups and fine grained access preventions – can you mitigate the damage of a leak.
2. Monitoring latest tactics trends, malware variants, targets, and domains.
3. Red team exercises and table tops to test your response capabilities at different levels of your organization.

Sources:

1. VX underground: https://twitter.com/vxunderground/status/1765018555739779527
2. CISA https://www.cisa.gov/news-events/alerts/2022/04/22/fbi-releases-iocs-associated-blackcatalphv-ransomware
3. BlackCat Disruption https://www.wired.com/story/alphv-blackcat-ransomware-doj-takedown/
4. BlackCat Disruption https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-22nd-2023-blackcat-hacked/
5. https://krebsonsecurity.com/2024/03/blackcat-ransomware-group-implodes-after-apparent-22m-ransom-payment-by-change-healthcare/
6. https://www.withsecure.com/en/expertise/blog-posts/2023-ransomware-rookies-are-a-remix-of-conti-and-other-classics
7. https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware/
8. https://www.whitehouse.gov/briefing-room/statements-releases/2023/11/01/fact-sheet-biden-harris-administration-convenes-third-global-gathering-to-counter-ransomware/
9. https://www.statnews.com/2023/11/17/hospital-ransomware-attack-patient-deaths-study/
10. https://www.akamai.com/blog/security/learning-from-the-lockbit-takedown
11. https://twitter.com/fwosar?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor