Response to CISA Advisory (AA23-353A): #StopRansomware: ALPHV BlackCat

AttackIQ has released a new attack graph in response to the recently published CISA Advisory (AA23-353A) which disseminates Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with the ALPHV BlackCat Ransomware-as-a-Service (RaaS) identified through FBI investigations as recently as December 6, 2023. Read More

On December 19, 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a join Cybersecurity Advisory (CSA) that disseminates Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with the ALPHV BlackCat Ransomware-as-a-Service (RaaS) identified through FBI investigations as recently as December 6, 2023.

This joint CSA is a continuation of CISA’s ongoing #StopRansomware effort to arm defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors.

BlackCat, also known as ALPHV and AlphaVM, is a Rust-based ransomware family operated under the Ransomware-as-a-Service (RaaS) business model, first identified in November 2021. Since Rust is a cross-platform language, BlackCat customers can easily customize their payloads to target a wide range of enterprise environments.

According to a Federal Bureau of Investigation (FBI) advisory published on April 19, 2022, BlackCat operators have links to two defunct RaaS groups, DarkSide and BlackMatter.

Since its discovery, BlackCat ransomware has frequently made the headlines for its successive attacks on high-profile targets. According to the FBI, as of September 2023, Blackcat affiliates have compromised over 1000 entities, 75 percent of which are in the United States, and received nearly $300 million in ransom payments.

In February 2023, BlackCat administrators announced the Blackcat Ransomware 2.0 Sphynx update, which was rewritten to provide additional features to affiliates, such as better defense evasion and additional tooling. This update can encrypt both Windows and Linux devices and VMWare instances.

AttackIQ has released a new attack graph that emulates the behaviors exhibited by the BlackCat ransomware during its latest activities with the aim of helping customers validate their security controls and their ability to defend against this relentless threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against behaviors observed during multiple activities carried out by BlackCat operators.
  • Assess their security posture against an opportunistic adversary, which does not discriminate when it comes to selecting its targets.
  • Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on ransomware activities.

[CISA AA23-353A] #StopRansomware: ALPHV BlackCat

Attack Graph: AA23-353A - FullClick for Larger

This attack graph emulates the different Tactics, Techniques, and Procedures (TTPs) observed in multiple activities associated with BlackCat Ransomware.

This emulation is based on the Cybersecurity Advisory (CSA) released by CISA and supported by a report published by Trend Micro on October 27, 2022, and updated on September 15, 2023.

Attack Graph: AA23-353A - Stage 1Click for Larger

This emulation begins immediately after the initial engagement, by executing the stage focused on the discovery of information related to the local environment and the network that the compromised system is part of.

During this stage, the adversary will seek to obtain information about available system accounts, permission groups, files and directories, active processes, network configuration, active connections, and remote systems.

Account Discovery (T1087): This scenario enumerates accounts available on the system through Windows Management Instrumentation (WMI).

Permission Groups Discovery: Local Groups (T1069.001): This scenario executes net localgroup and net group /domain to enumerate local system groups.

Native API (T1106): This scenario collects the User Security Identifier (SID) via the LookupAccountNameW Windows API call.

File and Directory Discovery (T1083): This scenario uses the native dir command to find files of interest and output to a temporary file.

Process Discovery (T1057): Running processes are listed through Windows Management Instrumentation (WMI).

System Network Configuration Discovery (T1016): Native Window’s commands like route, ipconfig, and net use are executed to collect details about the infected host and network shares.

System Network Connections Discovery (T1049): The native Windows command line tool netstat is used to collect active connections and any listening services running on the host.

Remote System Discovery (T1018): This scenario will leverage the Adfind utility to collect information related to the Active Directory.

Network Share Discovery (T1135): This scenario will discover network shares through the NetShareEnum API call.

Attack Graph: AA23-353A - Stage 2Click for Larger

This stage focuses on acquiring credentials to perform lateral movement to additional systems on the network. To do so, the adversary performs the dumping of the Local Security Authority Subsystem Service (LSASS) process and uses the Mimikatz tool to obtain additional credentials.

Subsequently, the adversary utilizes the BITSAdmin utility to download and transfer additional payloads to remote systems. Finally, it will use the Remote Desktop Protocol (RDP) to move laterally to these systems.

OS Credential Dumping: LSASS Memory (T1003.001): LSASS memory is dumped to disk by creating a minidump of the lsass process. This process is used for enforcing security policy on the system and contains many privileged tokens and accounts that are targeted by threat actors.

OS Credential Dumping (T1003): This scenario uses an obfuscated version of Mimikatz to dump credentials on Windows hosts.

BITS Jobs (T1197): Background Intelligent Transfer Service (BITS) is a native mechanism used by legitimate applications to use a system’s idle bandwidth to retrieve files without disrupting other applications. Commands are executed using bitsadmin to create a BITS job and configure it to download a remote payload.

Remote System Discovery (T1018): Nmap is used to scan the local network searching for any remotely accessible systems.

Remote Services: Remote Desktop Protocol (T1021.001): Remote Desktop is the built-in remote access utility used by Windows. This scenario attempts to remotely connect to another accessible asset with stolen credentials.

Attack Graph: AA23-353A - Stage 3Click for Larger

During this stage, the adversary will seek to establish communications between the compromised system and its infrastructure. To do so, it will deploy a Cobalt Strike Beacon which, in case of failure, will be replaced by SystemBC, also known as Coroxy.

Finally, the BlackCat ransomware will be deployed and executed by injecting code into a running process.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Process Injection (T1055): This scenario injects a DLL file into another running process and validates if a canary file can be created.

Attack Graph: AA23-353A - Stage 4Click for Larger

In the last stage, BlackCat will seek to obtain the Windows Universally Unique Identifier (UUID) through Windows Management Instrumentation (WMI), enable remote Symlinks, delete Volume Shadow Copies (VSC), clear the Windows Event Log, and perform file collection and encryption.

Windows Management Instrumentation (WMI) (T1047): WMI is a native Windows administration feature that provides a method for accessing Windows system components. This scenario will collect the Windows Universally Unique Identifier (UUID) by executing the csproduct get UUID command.

Modify Registry (T1112): The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ MaxMpxCt registry value is modified to change the number of network requests that the Server Service can perform.

Inhibit System Recovery (T1490): This scenario uses vssadmin.exe and WMI Objects to delete a recent Volume Shadow Copy created by the emulation.

Indicator Removal: Clear Windows Event Logs (T1070.001): The scenario will use the wevtutil.exe binary to clear event logs from the system.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using the same encryption algorithms observed in BlackCat ransomware.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations to adapt them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. Process Injection (T1055):

Malware will commonly inject malicious code into legitimate running processes to attempt to blend in with legitimate applications to remain hidden and appear normal to the compromised system.

2a. Detection

Searching for common processes that are performing uncommon actions can help identify when a process has been compromised.

2b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

3. Inhibit System Recovery (T1490):

Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.

3a. Detection

Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery

Wrap-up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the recent activities carried out by BlackCat ransomware operators. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.