BlackCat Ransomware Hits Azure Storage with Sphynx Encryptor

Cyber Security Threat Summary:
The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets' Azure cloud storage. While investigating a recent breach, Sophos X-Ops incident responders discovered that the attackers used a new Sphynx variant with added support for using custom credentials. After gaining access to the Sophos Central account using a stolen One-Time Password (OTP), they disabled Tamper Protection and modified the security policies. These actions were possible after stealing the OTP from the victim's LastPass vault using the LastPass Chrome extension” (Bleeping Computer, 2023).

The ransomware actors were able to encrypt the customer’s systems and remote Azure Cloud storage systems. The files were appended with an extension “.zk09cvt” and 39 Azure Storage accounts were successfully encrypted. The victim’s Azure portal was infiltrated using a stolen Azure key that provided them access to the targeted storage accounts. The keys were injected within the ransomware binary after being encoded in Base64. The attackers also used various Remote Monitoring and Management (RMM) tools including AnyDesk, Splashtop, and Atera.

Security Officer Comments:
The Sphynx variant was discovered back in March of 2023, during an investigation into a data breach. Microsoft also found a Sphynx variant embedded in the Remcom hacking tool, and the Impacket networking framework, which was used for lateral movement across compromised networks.

BlackCat/ALPHV emerged in November of 2021, and has been one of the more prominent ransomware groups. The group is suspected of being a rebrand of the DarkSide/BlackMatter group. DarkSide was the group behind the Colonial Pipeline breach, which drew immediate heat from international law enforcement agencies. Although the group rebranded as BlackMatter in July 2021, operations were abruptly halted in November when authorities seized their servers and security firm Emsisoft developed a decryption tool exploiting a vulnerability in the ransomware.

Based on our metrics, BlackCat is consistently in the top five ransomware groups in terms of victim volume. They are a sophisticated and high-profile group, that targets organizations globally. The groups constantly updates it’s tactics and techniques to adapt to changing security defenses. Most recently, the group began leveraging a dedicated clear web website to leak stolen data from victims. This clear web posting is intended to add additional pressure on victims to meet their ransom demands. In July of this year, the group also introduced a data leak API which helps to more quickly shame their victims.

“This week, one of the gang's affiliates gang (tracked as Scattered Spider) claimed the attack on MGM Resorts, saying they encrypted over 100 ESXi hypervisors after the company took down its internal infrastructure and refused to negotiate a ransom payment. Last April, the FBI issued a warning highlighting that the group was behind the successful breaches of more than 60 entities worldwide between November 2021 and March 2022” (Bleeping Computer, 2023).

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.