The Federal Bureau of Investigation (FBI) is asking for information to support its investigation into ransomware as a service (RaaS) criminal group known as BlackCat/ALPHV.
In a FLASH alert issued Tuesday, the FBI said it “is seeking any information that can be shared, to include IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.”
According to a February report by AT&T Alien Labs, BlackCat/ALPHV was used in a January 2022 campaign against two international oil companies headquartered in Germany, Oiltanking and Mabanaft. The FBI warned that as of March 2022, the BlackCat/ALPHV group had compromised at least 60 entities worldwide.
The ransomware gains access to the victim’s system by putting previously compromised user credentials to work. The malware then compromises Active Directory user and administrator accounts, leveraging Windows administrative tools and Microsoft Sysinternals tools.
According to the FBI’s investigation, BlackCat/ALPHV is the first ransomware group to successfully use the programming language RUST to commission its attacks. RUST is considered a more secure programming language that offers improved performance and reliable concurrent processing.
The cyber-criminal group steals data from the victim before the deployment of the ransomware, including company or client data stored by cloud providers on the victim’s behalf.
While BlackCat/ALPHV-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero, the group has been observed accepting ransom payments of a lower value than the amount initially demanded.
The group is believed to have links with other RaaS groups that have ceased operating.
“Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations,” stated the FBI.
In the FLASH alert, the FBI listed recommended mitigations, including using multi-factor authentication and installing updates/patch operating systems, software and firmware as soon as they are released.