It has been two months since the FBI and international law enforcement agencies disrupted some of the operations of the BlackCat ransomware group, but elements of the group have continued their intrusions and are mainly targeting health care organizations.
In a new advisory on the group’s activities, the FBI, the Department of Health and Human Services, and the Cybersecurity and Infrastructure Security Agency warned that BlackCat, also known as ALPHV, is still operating despite the law enforcement disruption and the release of a decryption tool to help victims recover their data. That disruption involved the use of a confidential informant inside the BlackCat operation and allowed law enforcement to gain access to the control panel used by the group’s affiliates and gather nearly 1,000 public/private Tor key pairs that BlackCat affiliates used for leak sites, victim sites, and other sites.
But the disruption didn’t completely stop BlackCat’s operations. Shortly after the law enforcement action, the administrator of the BlackCat ransomware asked affiliates to specifically go after health care organizations.
“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized. This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023,” the advisory says.
About a year ago, BlackCat released a new version of the ransomware called Sphynx, which included some new defense-evasion features and the ability to encrypt Windows, Linux, and VMware instances. The group has hit more than 1,000 victims in total, and many of them have been hospitals or other health care organizations. Most recently, BlackCat has claimed responsibility for the intrusion at Change Healthcare this week. That incident is affecting not just Change Healthcare, but also pharmacies that rely on the company’s IT systems to process prescriptions.
"The actors also obtain passwords from the domain controller, local network, and deleted backup servers to move laterally."
BlackCat affiliates use a range of social engineering tactics to gain access to target networks, often posing as IT or help desk staff in order to establish trust with individual victims, The affiliates then typically install a legitimate remote access tool such as AnyDesk and use it for eventual data exfiltration.
“ALPHV Blackcat affiliates claim to use Brute Ratel C4 and Cobalt Strike as beacons to command and control servers. ALPHV Blackcat affiliates use the open source adversary-in-the-middle attack framework Evilginx2, which allows them to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies. The actors also obtain passwords from the domain controller, local network, and deleted backup servers to move laterally throughout the network,” the advisory says.
The continued operation of some BlackCat affiliates after the law enforcement action highlights the difficulty of completely taking a ransomware-as-a-service operation off the board. There have been many actions by law enforcement against ransomware groups over the years, including Hive, Ragna Locker, and most recently, LockBit. A conglomeration of international law enforcement agencies targeted the LockBit operation last week, taking down the group’s infrastructure, indicting two alleged LockBit operators, and freezing hundreds of cryptocurrency wallets. But within days, some LockBit affiliates were boasting of new intrusions. Although some of those claimed victims may have been compromised before the disruption and only leaked publicly afterward.