#NSBCS.016 - BlackCat ALPHV Ransomware Gang Exit Scam
BlackCat ALPHV Ransomware Gang Exit Scam
The BlackCat (ALPHV) Ransomware group, a major threat actor responsible for high-profile attacks and hefty ransom demands, has seemingly ceased operations. The announcement by ALPHV claims permanent closure, citing pressure from law enforcement agencies. On a hacker forum, the ransomware group insinuated that they decided to cease operations because of pressure from federal agencies but refraining from providing additional information. This announcement raises question marks considering the group's recent surge in activity, particularly within the healthcare sector in December 2023. Exit scams are not uncommon in the cybercrime world, where criminals fake their demise to evade further investigation and potentially return under a new alias later. Security experts remain cautious, believing that ALPHV’s disappearance could be a strategic move rather than a permanent one.
The potential consequences of this situation are multifaceted. While ALPHV supposed shutdown may offer a temporary reprieve, the ransomware landscape is constantly evolving. Other ransomware groups are likely to capitalise on the void left by ALPHV's absence.
Organisations should remain vigilant and prioritise robust cybersecurity measures, including:
1. Multi-Layered Defence Strategy: Implement a defence-in-depth approach with multiple layers of security controls throughout the IT infrastructure.
2. Endpoint Detection and Response (EDR): Deploy EDR tools to continuously monitor and respond to threats. These tools can help trace and mitigate ransomware activities.
3. Network Segmentation and Access Controls: Divide the network into segments to contain and isolate a ransomware infection. Apply the principle of least privilege to limit access rights for users to the minimum necessary to perform their work.
4. Threat Intelligence Platforms: Utilise threat intelligence services to stay abreast of emerging ransomware campaigns and indicators of compromise (IOCs).
By implementing these practices, organisations can significantly bolster their defences against the ever-present threat of ransomware attacks, regardless of the specific group behind them. ALPHV’s situation serves as a reminder for organisations of all sizes to remain prepared amidst evolving cyber threats, and to ensure their company takes #NoStepsBackward!
For information on NSB Cyber’s Cyber Threat Intelligence capabilities or to book a meeting with our team, click here.
What we read this week
Hackers impersonate U.S. government agencies in BEC attacks - Hackers tracked as TA4903 are increasingly targeting businesses and individuals with Business Email Compromise (BEC), impersonating legitimate United States (U.S) government agencies. These scams involve sending emails that appear to be from real organisations like the U.S. Department of Transportation and Department of Agriculture. The threat actors are utilising social engineering to create a sense of urgency or authority, pressuring victims into giving away sensitive information or making fraudulent payments.
Law firm reports data breach affecting more than 325,000 people - U.S law firm Houser LLP, known for serving high-profile financial institutions, recently disclosed a data breach affecting more than 325,000 individuals. The breach itself was discovered in May 2023, and Houser LLP acknowledges that certain personal information was compromised during a system breach where files were encrypted and stolen from their network. A third-party investigation concluded in January 2024, prompting Houser LLP to notify its clients and offer mailing letters to potentially affected individuals on their clients' behalf.
$100 million a day? Cash flow disruptions roil healthcare industry after cyberattack - The recent cyberattack on Change Healthcare, a major healthcare IT provider, continues to have significant financial repercussions for hospitals and other healthcare organisations across the U.S. The attack targeted Change Healthcare's software used for processing insurance claims, leading to significant disruptions in the ability of healthcare organisations to submit claims and receive reimbursements. While Change Healthcare has rolled out a temporary funding assistance program and a new electronic prescription service, the full scope of the attack and its long-term consequences remain under investigation. Experts estimate that the cyberattack has caused daily cash flow disruptions exceeding $100 million for large healthcare players.
VMware Patches Critical ESXi Sandbox Escape Flaws - VMware recently addressed critical security vulnerabilities tracked as CVE-2024-22252 and CVE-2024-22253, impacting its enterprise virtualisation products, including ESXi, Workstation, and Fusion. The vulnerabilities reside in the Universal Serial Bus (USB) controllers used by these VMware products. Malicious actors with local administrative privileges on a virtual machine could potentially exploit these flaws to execute code as the VM's VMX process running on the host system. This effectively grants attackers elevated privileges within the host environment, potentially compromising other virtual machines and sensitive data stored on the system.
ScreenConnect flaws exploited to drop new ToddlerShark malware - North Korean state-sponsored hacking group Kimsuky is exploiting vulnerabilities in ScreenConnect remote access software to deploy a new malware variant known as ‘ToddlerShark’. The attackers are leveraging two critical vulnerabilities in ScreenConnect - CVE-2024-1708 (path traversal) and CVE-2024-1709 (authentication bypass) to target unpatched ScreenConnect servers to gain unauthorised access to victim networks. The newly deployed malware ToddlerShark, utilises legitimate Microsoft binaries to minimise detection, modifies system registries to weaken security defenses, and establishes persistent access through scheduled tasks, allowing Kimsuky to potentially steal sensitive data over an extended period.
References
https://www.bleepingcomputer.com/news/security/hackers-impersonate-us-government-agencies-in-bec-attacks
https://therecord.media/houser-law-firm-reports-data-breach
https://therecord.media/cash-flow-disruptions-hospitals-change-healthcare
https://www.securityweek.com/vmware-patches-critical-esxi-sandbox-escape-flaws
https://www.bleepingcomputer.com/news/security/screenconnect-flaws-exploited-to-drop-new-toddlershark-malware