BlackCat (aka ALPHV) Ransomware is Increasing Stakes up to $2,5M in Demands

BlackCat (aka ALPHV) Ransomware gang introduced an advanced search by stolen victim’s passwords, and confidential documents.

The notorious cybercriminal syndicate BlackCat competes with Conti and Lockbit 3.0. They introduced an advanced search by stolen victim’s passwords, and confidential documents leaked in the TOR network

Resecurity (USA), a Los Angeles-based cybersecurity company protecting Fortune 500 companies, has detected a significant increase in the value of ransom demand requests by the notorious Blackcat ransomware gang. According to experts, the notorious cybercriminal syndicate actively competes with Conti and the updated Lockbit 3.0, and recently introduced a search by stolen victim’s passwords, and confidential documents leaked in the TOR network.

Based on the observed recently compromised victims based in the Nordics region (which haven’t been disclosed by the group yet) the amount to be paid exceeds $2 million. One of the tactics used offers close to 50% discount to the victim in the case they are willing to pay – several ransom demands valued at $14 million were decreased to $7 million, but such amounts are still complicated for enterprises facing cybersecurity incidents. The most common ransom demand practiced by BlackCat jumped up to $2.5 million and it seems its trajectory will only grow.

The average ransomware payment climbed 82% since 2020 to a record high of $570,000 in the first half of 2021, and then by 2022 it almost doubled. The latest forecast is for global ransomware extortion activity to reach $265 billion by 2031, with total damages for businesses valued at $10,5 trillion globally. These metrics indicate ransomware to be the worlds largest “shadow economy”, generating expense damages more than natural disasters.

BlackCat has been operating since at least November 2021, and launched major attacks in January to disrupt OilTanking GmbH, a German fuel company, and in February 2022, the attack on an aviation company, Swissport. The group is targeting high-profile businesses in critical industries including energy, financial institutions, legal services, and technology.

Blackcat ransomware is one of the fastest-growing Ransomware-as-a-Service (RaaS) underground groups practicing so called “quadruple extortion” by pressing victims to pay – leveraging encryption, data theft, denial of service (DoS) and harassment.

The BlackCat is also known as “ALPHV”, or “AlphaVM” and “AphaV”, a ransomware family created in the Rust programming language. The group’s leader with identical alias in communications on Dark Web forums outlined Rust as one of the competitive advantages of their locker compared to Lockbit and Conti. Despite the fact Blackcat and Alpha have completely different URLs in TOR Network, the scripting scenarios used on their pages are identical, and likely developed by the same actors. Both projects are using an advanced set of JS-based obfuscation to protect the page from analysis managed by 3 scripts written in the same way. 

The group was the pioneer of search in the indexed stolen data – allowing customers and employees of the affected companies to check exposed data.

Such approach is used as one of the catalysts for further class-action lawsuits which could be filed by unhappy individuals who will see their data or communications affected due to lack of information security caused by data breaches. In a recent post from 10 Jul 2022, 15:35 pm in Dark Web, “ALPHV” introduced search not only by text signatures, but also supporting tags for search of passwords and compromised PII. It seems that some of the stolen files are still under indexing, but majority is already available for quick navigation. There were over 2,270 indexed documents identified containing access credentials and password information in plaintext, and over 100,000 documents containing confidential marking, including indexed e-mail communications and sensitive attachments.

ALPHV seems to be significantly competing with Lockbit 3.0 and Conti – another actively developing ransomware syndicates who called ALPHV “scammers”. Likely, the statement is related to some conflict and issues between affiliates and team members who could be associated with both projects at different stages. 

ALPHV has been associated with two other ransomware groups: DarkSide and BlackMatter. Design overlaps between ALPHV and DarkSide have prompted rumors that ALPHV was a rebrand of DarkSide. On underground cybercriminal forums, the representative of the “LockBit” ransomware also initiated threads stating that ALPHV was a rebrand of DarkSide and BlackMatter RaaS programs. While ALPHV denied being a rebrand of DarkSide or BlackMatter, developers and money launderers from ALPHV are linked to DarkSide/BlackMatter, according to the FBI. Therefore, while ALPHV may not be a rebrand, it is likely that the group recruited many members from these now inactive ransomware gangs.

Today the group published new victims – “COUNT+CARE” Gmbh (an information technology and services company from Germany), following Dusit D2 Kenz Hotel in Dubai, Sinclair Wilson (an accounting and wealth management services firm from Australia) and Adler Display out of Baltimore, Maryland.

Additional info is available in the post published by Resecurity on its blog:

https://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BlackCat)

[adrotate banner=”5″]

[adrotate banner=”13″]