"BlackCat" Ransomware Targets Azure Storage with Sphynx Cipher

The BlackCat (ALPHV) ransomware group has taken their malicious operations to the Azure cloud storage realm, employing stolen Microsoft accounts and the recently discovered Sphynx encryptor.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

During an investigation into a recent breach, Sophos X-Ops incident handlers uncovered that the attackers utilized an updated version of Sphynx, enabling them to employ custom credentials in their encryption efforts.

After gaining unauthorized access to the Sophos Central account through the use of a stolen One-Time Password (OTP), the attackers proceeded to deactivate Tamper Protection and modify security settings. This was made possible by extracting the OTP from the victim’s LastPass password using the LastPass Chrome extension.

Subsequently, they initiated the encryption process on the Sophos customer’s systems and remote Azure cloud storage, appending the “.zk09cvt” extension to all encrypted files. In total, the individuals responsible for the ransomware managed to compromise and lock 39 Azure Storage accounts.

To infiltrate the victim’s Azure site, the attackers leveraged a pilfered Azure key, granting them entry to the specified storage accounts. These ill-gotten keys were encoded in Base64 format before being incorporated into the ransomware binary.

In the course of the attack, the perpetrators also utilized various Remote Monitoring and Management (RMM) tools, including AnyDesk, Splashtop, and Atera.

Sophos uncovered this Sphynx variant in March 2023 during an investigation into a data breach reminiscent of a previous attack detailed in an IBM-Xforce report from May. In both instances, the ExMatter tool was employed to exfiltrate stolen data.

Microsoft recently identified that the updated Sphynx encryptor employs the Remcom hacking tool and the Impacket networking framework to laterally traverse networks that have already been compromised.

The BlackCat/ALPHV ransomware operation emerged in November 2021 and is believed to be a rebranding of the DarkSide/BlackMatter group.
Initially, this group operated under the name DarkSide. However, their notoriety skyrocketed on a global scale after the high-profile breach of the Colonial Pipeline, resulting in heightened scrutiny from law enforcement agencies worldwide.

Even after changing its name to BlackMatter in July 2021, the group faced an abrupt halt to their operations in November, as government intervention led to the seizure of their servers. A security company named Emsisoft capitalized on a vulnerability within the ransomware, creating a decryption tool.

This gang has long maintained a reputation as one of the most intricate and high-profile ransomware groups. Their targets span global businesses, and they continually evolve and refine their techniques.

As an example of their adaptability, last summer, they introduced a novel extortion method by leaking the stolen data of specific victims through a clear web website. This allowed the victim’s customers and employees to determine whether their data had been compromised, adding a new dimension to their extortion tactics.

In a more recent development in July, BlackCat introduced a data leak API, simplifying the process of exfiltrating stolen data.

This week, one of the gang’s affiliates, Scattered Spider, claimed responsibility for an attack on MGM Resorts. They reported encrypting over 100 ESXi hypervisors after the company decided to shut down its internal systems and declined to pay a ransom.

Back in April, the FBI issued a warning regarding a group that had successfully breached over 60 organizations worldwide between November 2021 and March 2022. These incidents highlight the persistent and evolving threat posed by ransomware groups like BlackCat and its affiliates.