ALPHV Ransomware Report

The ALPHV ransomware (also known as BlackCat) operator is a financially motivated threat actor group that has been active since at least 2016. The group employs the double-extortion technique, threatening to leak stolen data to persuade victims to pay the ransom and has targeted various industry sectors, including manufacturing, finance, healthcare, law, and media. The group has been successful in extorting large ransom payments, with a reported average payment of US$1.7 million. As such, the ALPHV ransomware group is currently one of the leading ransomware actors, and it is highly likely that their operations will continue.

The group has been observed using different versions of the Sardonic backdoor to deploy the ALPHV ransomware. The Sardonic backdoor is a powerful malware that can exfiltrate system data, execute commands, and load and execute additional malware payloads. The group has also been associated with other ransomware variants such as Ragnar Locker and White Rabbit. The malware is typically distributed through malvertising campaigns, using tricks to distribute rogue installers of legitimate applications, such as WinSCP.

It was detected in July 2023 that the threat actor, tracked as FIN8, was involved in an attack campaign that involved the deployment of ALPHV ransomware via an enhanced rendition of the Sardonic backdoor.

Impact

Successful exploitation by ALPHV ransomware will almost certainly result in the encryption and exfiltration of significant quantities of data held on the compromised system, prior to a ransom of a predetermined value being issued. The ransom amount demanded will almost certainly depend on the estimated value of the compromised organisation. Furthermore, such a compromise of data will also result in the organisation incurring a negative reputational impact. Encrypted data may include private customer data, corporate finance data and system credentials that if released can
assist threat actors with future attacks.