Corpus Christi, Texas – The BlackCat (ALPHV) ransomware group has notably modified its arsenal, leveraging stolen Microsoft accounts and a fresh encryption tool termed Sphynx, aiming predominantly at victims’ Azure cloud storage.
The findings emerged when Sophos X-Ops incident responders were examining a security infringement. These digital offenders showcased an evolved Sphynx version with distinctive features, notably its custom credentials compatibility. Their attack vector began by accessing the Sophos Central account using an unlawfully acquired OTP, followed by disabling its inherent security measures. The breach of the OTP was orchestrated through the LastPass Chrome extension found in the victim’s LastPass vault.
Consequently, systems associated with Sophos experienced encryption, predominantly their Azure cloud storage. All encrypted files bore the .zk09cvt extension. Notably, these adversaries achieved the encryption of a staggering 39 Azure Storage accounts.
The gateway into the Azure portal was a hijacked Azure key, granting the cybercriminals unrestricted access to particular storage accounts. These pilfered keys, pivotal to the breach, were integrated within the ransomware, post Base64 encoding.
Moreover, these attackers leveraged diverse Remote Monitoring and Management (RMM) tools, including AnyDesk, Splashtop, and Atera.
CoreRecon, a Corpus Christi, Texas-based Managed IT & Cyber Security Services provider offering services like Managed IT, Computer Services, Penetration Testing, and Security & Network Assessments, has been instrumental in highlighting the significance of such security measures. In March 2023, Sophos identified this Sphynx variant while investigating a similar data breach to another incident reported by IBM-Xforce in May. Both cases used the ExMatter tool for data extraction.
Furthermore, Microsoft’s study shed light on Sphynx encryptor’s potential to incorporate the Remcom hacking mechanism and the Impacket networking structure, enabling lateral traversals in compromised networks.
Delving into BlackCat’s Chronicles
Emerging in the cyber realm in November 2021, BlackCat (ALPHV) is conjectured to be a subsequent iteration of the infamous DarkSide or BlackMatter ransomware factions.
Initially recognized as “DarkSide”, this collective became notorious post their assault on the Colonial Pipeline, earning the spotlight of global law enforcement bodies. They underwent a brand transition to “BlackMatter” by July 2021. However, by November, with their servers apprehended and the advent of a decryption tool by Emsisoft, their operations were stymied.
Consistently flagged as an elite ransomware syndicate with international operations, their techniques have been in constant flux. They recently unveiled a method of releasing purloined data into the public domain, enabling the affected entity’s stakeholders to verify the breach extent. Following suit, BlackCat initiated a data leak API in July to disseminate stolen data adeptly.
In recent events, an associate of this group, Scattered Spider, allegedly compromised MGM Resorts. Their claim indicates the encryption of over 100 ESXi hypervisors after MGM’s decision to dismantle its internal systems and rebuff ransom parleys.
To sum up, the FBI’s April advisory accentuated this group’s successful infiltration into more than 60 global institutions from November 2021 to March 2022.