ALPHV Ransomware
The ALPHV Ransomware appears to be among the most sophisticated threats of this type and so is the threatening operation responsible for releasing it. This particular ransomware threat was discovered by the infosec researchers, who also track it under the BlackCat name. The threat is highly-customizable allowing even not so tech-savvy cybercriminals to adjust its features and launch attacks against a large set of platforms.
Table of Contents
ALPHV’s Operation
The ALPHV Ransomware is being promoted by its creators on Russian-speaking hacker forums. The threat appears to be offered in a RaaS (Ransomware-as-a-Service) scheme with the operators of the malware looking to recruit willing affiliates who will perform the actual attacks and network breaches. Afterward, the money received from the victims as ransom payments will be split between the involved parties.
The percentage taken by the ALPHV creators is based on the exact sum of the ransom. For ransom payments reaching up to $1.5 million, they will keep 20% of the funds, while for payments between $1.5 and $3 million they will get a 15% cut. If the affiliates manage to receive a ransom of more than $3 million, they will be allowed to keep 90% of the money.
The attack campaign is believed to be active since at least November 2021. So far victims of ALPHV Ransomware have been identified in the USA, Australia and India.
Technical Details
The ALPHV Ransomware is written using the Rust programming language. Rust is not a common choice among malware developers but is gaining traction due to its characteristics. The threat features a robust set of intrusive functionalities. It is capable of performing 4 different encryption routines based on the preferences of the attackers. It also uses 2 different cryptographic algorithms - CHACHA20 and AES. The ransomware will scan for virtual environments and attempt to kill them. It will also automatically wipe any ESXi snapshots to prevent recovery.
To inflict as much damage as possible, ALPHV can kill the processes of active applications that could interfere with its encryption, for example by keeping a targeted file opened. The threat can terminate the processes of Veeam, backup software products, Microsoft Exchange, MS Office, mail clients, the popular video game store Steam, database servers, etc. Furthermore, the ALPHV Ransomware will delete the Shadow Volume Copies of the victim's files, clean the Recycle Bin in the system, scan for other network devices, and attempt to connect to a Microsoft cluster.
If configured with the appropriate domain credentials, ALPHV can even spread itself to other devices connected to the breached network. The threat will extract PSExec to the %Temp% folder and then proceed to copy the payload to the other devices. All the while, the attackers can monitor the progress of the infection via a console-based user interface.
The Ransom Note and Demands
Affiliates can modify the threat according to their preferences. They can customize the used file extension, ransom note, the way the victim's data will be encrypted, which folders or file extensions will be excluded and more. The ransom note itself will be delivered as a text file with a name following this pattern - 'RECOVER-[extension]-FILES.txt.' The ransom notes will be tailored towards each victim. So far victims have been instructed that they can pay the hackers using either the Bitcoin or Monero cryptocurrencies. However, for Bitcoin payments, the hackers will add a 15% tax.
Some ransom notes also include links to a dedicated TOR leak site and another own for contact with the attackers. Indeed, ALPHV uses multiple extortion tactics to get its victims to pay with the cybercriminals collecting important files from the infected devices before encrypting the data stored there. If their demands are not met, the hackers threaten to publish the information to the public. Victims also are warned that they will be subjected to DDoS attacks upon refusal to pay.
To keep the negotiations with the victims private and prevent cybersecurity experts from snooping around, the ALPHV operators have implemented a --access-token=[access_token] command-line argument. The token is used in the creation of an access key necessary to enter the negotiation chat function on the hacker's TOR website.
The ALPHV Ransomware is an extremely harmful threat with highly-sophisticated features and the ability to infect multiple operating systems. It can be executed on all Windows 7 systems and higher, ESXI, Debian, Ubuntu, ReadyNAS and Synology.
