Alert - ALPHV/BlackCat Ransomware Targeting of Canadian Industries

Number: AL23-010
Date: July 25, 2023

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

The Communications Security Establishment (CSE) and its Canadian Centre for Cyber Security (Cyber Centre) are aware of incidents where victims were infected with ALPHV/BlackCat ransomware. As of July 24, 2023, incidents involving ALPHV/BlackCat have impacted multiple sectors within Canada and globally.

The Cyber Centre assesses that ALPHV/BlackCat are almost certainly financially motivated and have shown no pattern to victimization that suggests deliberate targeting. The Cyber Centre assesses that ALPHV/BlackCat and its affiliates very likely select their victims based on opportunity. ALPHV/BlackCat is responsible for a significant share of attributed Canadian ransomware incidents that the Cyber Centre is aware of between January 2022 and June 2023. ALPHV/BlackCat has presented a threat to Canadian organizations since at least January 2022 and will very likely continue to threaten Canadian and international organizations into the latter half of 2023.

In 2023, BlackBerry published an article which details the BlackCat malware Footnote 1. In the report they state “BlackCat has most often targeted companies in the financial, manufacturing, legal, and professional services industries — but BlackCat’s exploits span all industries.” With a campaign that “often employ a triple-extortion tactic: making individual ransom demands for the decryption of infected files; for not publishing stolen data; and for not launching denial of service (DoS) attacks."

The Cyber Centre continues to monitor activities impacting Canadian Ransomware victims and will provide further technical indicators along with advice and guidance as they are made available. The Cyber Centre is providing the following TTPs and attached IOCs related to activity recently reported to the Cyber Centre to provide network defenders techniques to better protect themselves. All government and non-government partners are also encouraged to use cyber security best practices to protect their environments.Footnote 2

Tactics, techniques, and procedures (TTP)

The following MITRE ATT&CK techniques leveraged by the actorsFootnote 3 were reported to the Cyber Centre or referenced through open-source. They are being provided to outline the reported activity. MITRE provides detection and mitigation strategies for system operators to better protect their network systems. These resources are available in the references section of this Alert.

Initial access

Threat actors have been reportedly using multiple forms of social engineering to gain access to user credentials. This has included phishing email and SMS messages with links to target-themed credential phishing, as well as phone calls to the users to harvest their credentials.Footnote 4

  • T1586 – Compromise Accounts
  • T1566 – Phishing

Threat actors have also been reportedly bypassing MFA by various means, including MFA fatigue and social engineering. Footnote 4

  • T1111 - Multi-Factor Authentication Interception

Privilege escalation

Threat actors have been reportedly leveraging compromised credentials to conduct additional credential theft to escalate privileges.Footnote 4 Threat actors have also been reportedly compromising privileged accounts as part of the initial access.

  • TA0004 – Privilege Escalation

Command and control (C2)

Following initial compromise, threat actors have also been reportedly using various remote monitoring and management tools to maintain persistence, many of which are commercial products to avoid detection.Footnote 4

  • T1219 – Remote Access Software

Scanning

Following initial compromise, threat actors have been reportedly leveraging various tools to scan for RDP and SMB enabled devices on the network.Footnote 5

  • T1135 – Network Share Discovery
  • T1046 – Network Service Discovery

Persistence

Threat actors have been reportedly adding their own MFA tokens to existing user accounts. This allows the threat actor to maintain persistence while avoiding detection.Footnote 4

  • T1098.005 - Account Manipulation: Device Registration

Threat actors have also been reportedly adding federated domains to Azure AD to maintain persistence.

  • T1484.002 – Domain Policy Modification: Domain Trust Modification

Threat actors have also been reportedly using scheduled tasks to maintain persistenceFootnote 5

  • T1053.005 – Scheduled Task/Job: Scheduled Task

Threat actors have also been reportedly using various remote monitoring and management tools to maintain persistence, many of which are commercial products to avoid detection.Footnote 4

  • T1219 – Remote Access Software

Threat actors have also been reportedly abusing continuous configuration management software such as Ansible to maintain persistence. These tools are abused to automatically re-infect new systems.

  • T1525 - Implant Internal Image

Movement within network

To move laterally within the network, threat actors have been reportedly leveraging management tools such as Microsoft InTune and WSUS to spread within the network.

  • T1072 - Software Deployment Tools

Threat actors have also been reportedly using RDP connections to perform further credential theft via LSASS dumping.Footnote 6

  • T1021.001 - Remote Services: Remote Desktop Protocol

Recovery prevention and obstruction

To prevent and obstruct recovery efforts, threat actors have been reportedly deleting virtual machine backups and snapshots. Threat actors have also been reportedly deleting Windows shadow copy backups during the encryption process.Footnote 1

  • T1490 – Inhibit System Recovery

Suggested actions

The Cyber Centre recommends organizations:

  • Review the attached indicators of compromise and above TTPs to determine if related activity has occurred. If activity has been detected and a compromise has occurred:
    • Reimage compromised systems.
    • Reset all potentially compromised credentials.
  • Review the MITRE ATT&CK techniques and mitigationsFootnote 3 to assist in reducing potential threat surfaces.

In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security ActionsFootnote 2 with an emphasis on the following topics.

  • Phishing Awareness. This includes both identification of phishing but also procedures on what to do if a phishing email is received.
  • Phishing Technical Controls.
  • Multi-factor Authentication.
    • Favouring hard tokens for sensitive or critical systems or accounts.
  • Enforcing the Management of Administrative Privileges.
    • Minimize number of administrators and privileged roles.
    • Conduct administrative activities on managed, hardened, and dedicated devices with restricted access to email, web browsing and outside connectivity.
    • Enable two-person integrity when resetting administrative accounts to minimize successful social engineering activities.
  • Remote Access Management and Controls.
  • Network segmentation and demilitarized zones (DMZs).
    • Configure firewalls to selectively control and monitor traffic passed between zones.
  • Software Management and Deployment Controls.
  • Business continuity planning, which is tested and validated.
  • Review the Cyber Centres Playbook on Ransomware (ITSM.00.099) and apply recommended security controls.Footnote 10

If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.

Indicators of compromise

The Cyber Centre is releasing the following indicators of compromise (IoCs) associated with ALPHV/BlackCat activity. The Cyber Centre wishes to highlight that some of the provided network indicators may be used for legitimate purposes. The presence of connections to these network indicators does not necessarily imply that a system has been compromised, but it does merit further investigation to verify the systems integrity.

Additionally, as these indicators may contain legitimate infrastructure or software, it is important to verify business services and network environments before implementing any blocks based on these indicators.

Indicator Type Notes
fleetdeck_agent_svc.exe filename FLEETDECK
njmatio0.fdx.cmd filename TA Scripts (njmatio0)
privacy.sexy filename TA Scripts (Disable MDE)
run-{B9184FF9-B695-4605-B649-BF3A488E9BF5}-v3854.exe filename ALPHV
run-{B9184FF9-B695-4605-B649-BF3A488E9BF5}-v3857.exe filename ALPHV
[REDACTED]_non_employee_pcs__onprem__azure__aws__mk2_locker_windows32 (1).zip filename ALPHV
[REDACTED]_non_employee_pcs__onprem__azure__aws__mk2_locker_windows32(1).zip filename ALPHV
[REDACTED]_non_employee_pcs__onprem__azure__aws__mk2_locker_windows32.zip filename ALPHV
WhenTheyCry0.ps1 filename TA Scripts (WhenTheyCry0.ps1)
Win - [REDACTED] - Dynamically Set Time Zone filename Malicious Intune Scripts
Win10 - CloudPC - Teams WebRTC Plugin filename Malicious Intune Scripts
Win - [REDACTED] - Zscaler Remediation v4 filename Malicious Intune Scripts
Win10 - WKSConfig - Add [REDACTED]Admin10 filename Malicious Intune Scripts
WindowsDefenderATPOffboardingScript_valid_until_2023-07-23.cmd filename TA Scripts (Disable MDE)
WindowsDefenderATPOffboardingScript_valid_until_2023-07-24.cmd filename TA Scripts (Disable MDE)
C:\ATP.cmd filepath TA Scripts (Disable MDE)
C:\forti.exe filepath FLEETDECK
C:\fortis.exe filepath ALPHV
C:\fortiss.bat filepath TA Scripts (Disable MDE)
C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe filepath FLEETDECK
C:\Users\Arssvc\downloads\24hours.exe filepath TA Executables (24hours.exe) | TA created user ARSSCV
C:\Users\[REDACTED]\AppData\Local\VirtualStore\Program Files (x86)\FleetDeck Agent\credentials.json filepath FLEETDECK
C:\Users\[REDACTED]\AppData\Local\VirtualStore\Program Files (x86)\FleetDeck Agent\deployment.json filepath FLEETDECK
C:\Users\[REDACTED]\AppData\Local\VirtualStore\Program Files (x86)\FleetDeck Agent\latest.json filepath FLEETDECK
C:\Users\[REDACTED]\AppData\Local\VirtualStore\Program Files (x86)\FleetDeck Agent\z7RvqxPCGUS2jCWMFVomadRMQD6C.txt filepath FLEETDECK
C:\Users\[REDACTED]\Downloads\FFjEqOaD6jGqN9upnK00kAbxWNH2FFXYuW.exe filepath ALPHV
C:\Windows\System32\Tasks\privacy.sexy filepath TA Scripts (Disable MDE)
C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.15\Downloads\script0.ps1 filepath [nil]
C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.15\Downloads\ygkmZF5i4UtMWqDE6V3J.txt filepath [nil]
C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.15\JN3x4VqhB81TOXBUl0JRfERIWjoCs.txt filepath [nil]
C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.15\bin\g2dF1nbbDK3vpS9A4AxMNvIzQeqZx.txt filepath [nil]
C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.15\RuntimeSettings\sCgJDQc9XLmMC0TYUnemYl.txt filepath [nil]
C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.15\Downloads\UyRsql4uhjaYT5Lm2wM.txt filepath [nil]
C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.15\Status\3XjHpEDkYDxh7GzUuVhwN7k6xCjKCU.txt filepath [nil]
C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.15\Status\aatftpKN1N46jZeJTPV.txt filepath [nil]
2uee6idu7qoaqdata000.blob.core.windows[.]net FQDN TA Scripts (Disable MDE)
fleetdeck[.]io FQDN FLEETDECK
gofile[.]io FQDN TA Infrastructure
level[.]io FQDN LEVEL.IO
pinyin-[REDACTED].s3.us-west-2.amazonaws[.]com FQDN TA Infrastructure
privacy[.]sexy FQDN TA Scripts (Disable MDE)
storjshare[.]io FQDN TA Infrastructure
[REDACTED]-sso[.]com FQDN TA Infrastructure
temp[.]sh FQDN TA Infrastructure
162.33.179[.]114 IPv4 UPDATE.EXE
193.149.187[.]213 IPv4 TA Infrastructure
4.157.42[.]62 IPv4 TA Infrastructure
40.88.54[.]192 IPv4 TA Infrastructure
52.188.53[.]135 IPv4 TA Infrastructure
206.188.196[.]78 IPv4 TA Infrastructure
193.149.187[.]213 IPv4 TA Infrastructure
45.154.138[.]39 IPv4 TA Infrastructure
47.154.86[.]24 IPv4 TA Infrastructure
67.216.143[.]42 IPv4 TA Infrastructure
29efd64dd3c7fe1e2b022b7ad73a1ba5 MD5 MIMIKATZ
3c5a420aed54867a0fd0d373637595d2 MD5 FLEETDECK
44eee3d7f6d60f3390c68ad3f1cb1b77 MD5 ALPHV
4b940893856bbde6c7c587d7e10ec4d1 MD5 TA Scripts (Disable MDE)
4bfe8fafe03fe781f75c375bdade54f7 MD5 FLEETDECK
60cf9dfc495e4bd99e31b2b6079f654e MD5 Malicious Intune Scripts
61b13d54c8dda98b7aa13e75abfdbd12 MD5 UPDATE.EXE
7f4c0d171e104eea3c48e03ade1ec68a MD5 Malicious Intune Scripts
825e125eb34abb8197178ed10d5452d5 MD5 ALPHV
adc52a4c68173dce2733dbfe45c5ebe9 MD5 Malicious Intune Scripts
bbeb9589a0f406d0d4921df68641ccf1 MD5 Malicious Intune Scripts
cc51281a38bdc87a7ad0e4b612181ced MD5 ALPHV
d2848456bc6fc3bdccf6998befeced4b MD5 TA Scripts (Disable MDE)
1c939f39a93aa425f857f76a8072ef0e43153ed0 SHA1 ALPHV
48579f02785e022db5d31c229be8b9a098134d95 SHA1 Malicious Intune Scripts
6f464abe5f9591b3786f21ef911fc6cd1f717131 SHA1 TA Scripts (Disable MDE)
9d966e90c1c6bc7100e9b089fe6c8ce52a6b379c SHA1 TA Scripts (Disable MDE)
a9ed0ca8e08cf1e7569fcda769351850c748d681 SHA1 ALPHV
b2cfe7344875528ce6bf64719c7eadadffb3e567 SHA1 FLEETDECK
b6da15fb313b3c7d66923f6144bac69aa19e74d1 SHA1 Malicious Intune Scripts
bd53bd285071966d8799e5d9ceaa84a0b058a4fb SHA1 Malicious Intune Scripts
c219e7bee1cb92e2026a81ac333cd6f439a077b2 SHA1 FLEETDECK
d278d06db4e1b8a6379308a797c0304676a30e10 SHA1 UPDATE.EXE
d34043b44a7405e1359ef5f4dbebd09f324d9645 SHA1 ALPHV
e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69 SHA1 MIMIKATZ
eb410e312adadda3a3d13c608b8bb5ef7ecb812c SHA1 Malicious Intune Scripts
140bcad5397858a7fa35a79dba4cd83decd4ae2927a22983218b3a0efebd8b9e SHA256 TA Scripts (njmatio0)
1c2fbab9c849db1e8d8f26d217a7434aad3cab45b6f3c6c2de81b548220779fd SHA256 Malicious Intune Scripts
20529bcdc538cc28303300bab95b9daeb07264cf7ccdef837f87e26ea2a4f23f SHA256 TA Scripts (Disable MDE)
234f8d70d92dde7d8f5edee2d3b3152214ef0b86c8e7c30274371fa9880243e6 SHA256 ALPHV
243e1d202848ae99d8ee7a13f08316a8f0d37db93379df2fcbae7ff82754d89e SHA256 ALPHV
25e6fef0dce4e0f6260442b164ce7305561223429771b96f7448db8f337955cb SHA256 ALPHV
61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1 SHA256 MIMIKATZ
84d33d77ea225839f0f2e473e20108e77f8a3e2a125eac844dc85116ef9792f5 SHA256 FLEETDECK
85ba48604d680d2786f485d70a6892dcf059c646e28b0a9befe530f9e3e459a5 SHA256 Malicious Intune Scripts
b6bb576e3dd58f09218cf455d94e4db253af5f244f70f88abd78af0dc29c1246 SHA256 Malicious Intune Scripts
bfa3cf521eefaaecc5d54028b3c12ea571033d4fe98e94d0031912b55071357b SHA256 ALPHV
c97641412ba384933dae4d4de377bc57bd0c9cd6d17b52a9a38c7c9a6eadd64c SHA256 TA Scripts (Disable MDE)
da8c1976b9756cfb9afdcb4eaca193f411f96cee65835a87b3efb3423b33810b SHA256 TA Scripts (WhenTheyCry0.ps1)
df1f54952d918b1ddabf543ac50c2dafbca7aad2e5681824c0d1a44416da9c1d SHA256 Malicious Intune Scripts
e616846973de11765207dddbdf7712a74b2d804a08b65badb47f9ef09a640d4f SHA256 FLEETDECK
e7e8a15588225ae93f2ebc91769352de0d48bfdcfcb93718e66119eb23dee976 SHA256 UPDATE.EXE
f51166cf076d96c47b5c2ba22e65903b21e4d6735e585e1c51f796108a0a54f9 SHA256 ALPHV

MITRE ATT&CK techniques

Report a problem on this page

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: