Two hacker groups are back in the news, LockBit 3.0 Black and BlackCat/AlphV

Researchers from cybersecurity firm TG Soft are warning Italian entities and companies of LockBit 3.0 Black and BlackCat/AlphV attacks.

In the last few weeks, two cybercriminal groups that have also targeted Italian entities and businesses, are back in the news; they are LockBit 3.0 Black and BlackCat/AlphV, which had already been reported by the media in the first decade of last July.
Like all ransomware, this is a type of malware that, once introduced into an organization, encrypts the data and then requires the victim to pay a ransom in order to decrypt it.

TG Soft ‘s CRAM researchers had the chance to test their Heuristic Behavioral technologies to combat even the variants of this family type of Ransomware attacks. These technologies, made available since 2015, proved to be effective and efficient in blocking the cyber attack, started in any mode, automatically within 100 milliseconds {1 tenth of a second => a blink of an eye} from the start of the encryption process.

LockBit 3.0 Black

The LockBit 3.0 Black attack analyzed by TG Soft‘s CRAM researchers, showed that access by cyber criminals was via exposed RDP.
As already reported in the Ransomware attack information via RDP access violation, drafted in 2017 and re-proposed in 2019, WE STRONGLY ADVISE EVERYONE AGAINST making accesses available via RDP because it is, even today, a potential access gatway to PCs/Servers for ” bad actors.”

The analyzed attack spread the ransomware Lockbit 3.0 aka LockBit Black {28/10}, as highlighted in the side image and the {02/11} the Makop… both were blocked in the initial phase of the attack, by Vir.IT’s AntiRansomware eXplorer PRO system.
Contact with cyber criminals is made via chat from the URLs given in the ransomware instructions.
Attack result…

The tandem of ransomware used in this case – Lockbit + Makop – was effectively blocked in the initial phase of the attack by the Heuristic-Behavioral technologies built into TG Soft’s solution.

BlackCat / AlphV

Another threat around is the BlackCat/AlphV group.

Below is some payload info from TG Soft’s CRAM Analysts on BlackCat / ALPHV Ransomware.
Encrypted file structure ransomware  BlackCat / ALPHV:

[ORIGINAL_FILENAME].[ORIGINAL_extension].specific/different for each affected company

We highlight that this ransomware uses a different extension for each affected Company/Entity.

Ransom instructions are released within each folder where the ransomware has encrypted files. The ransomware file is released in text format with the structure:


From the attack we simulated in our real infrastructure with a sample retrieved from an actual attack, the heuristic-behavioral protection of Vir.IT eXplorer PRO AntiRansomware Protection CryptoMalware, intervened in the range of 100 milliseconds {1/10th of a second} from the start of the encryption process. The few files encrypted in the initial phase of the attack can be recovered/restored through the RECOVERY & RESTORE tools of Vir.IT eXplorer PRO: BackupOnTheFLY and/or Vir.IT Backup!

The computer where the malicious process was initiated, simulating a HumanOperatedRansomware Attack, was automatically isolated from the rest of the network so that the ransomware attack could not propagate to the entire infrastructure, thus ensuring BusinessContinuity.
Obviously, as with any other software, its effectiveness and efficiency is subject to the 4 rules of good use:

  1. Correctly INSTALLED on ALL PCs as well as on Server(s) even if they are not used for WEB browsing;
  2. Correctly CONFIGURED;
  3. Correctly UPDATED;
  4. and properly USED…

More info on TG Soft’s Heuristic Behavioral technologies take a look at:

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Lockbit)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Ivanti fixed two critical flaws in its Avalanche MDM

Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can…

3 hours ago

Researchers released exploit code for actively exploited Palo Alto PAN-OS bug

Researchers released an exploit code for the actively exploited vulnerability CVE-2024-3400 in Palo Alto Networks'…

8 hours ago

Cisco warns of large-scale brute-force attacks against VPN and SSH services

Cisco Talos warns of large-scale brute-force attacks against a variety of targets, including VPN services,…

8 hours ago

PuTTY SSH Client flaw allows of private keys recovery

The PuTTY Secure Shell (SSH) and Telnet client are impacted by a critical vulnerability that could…

18 hours ago

A renewed espionage campaign targets South Asia with iOS spyware LightSpy

Researchers warn of a renewed cyber espionage campaign targeting users in South Asia with the…

24 hours ago

Misinformation and hacktivist campaigns targeting the Philippines skyrocket

Amidst rising tensions with China in the SCS, Resecurity observed a spike in malicious cyber…

1 day ago

This website uses cookies.