FBI FLASH – BlackCat/ALPHV Ransomware Indicators of Compromise

The FBI has published a TLP:WHITE FLASH providing indicators of compromise associated with BlackCat/ALPHV ransomware. The Flash notes that BlackCat/ALPHV threat actors operate as a ransomware as a service (RaaS) organization and since March 2022 have compromised at least 60 entities worldwide. The group is reportedly the first successful ransomware entity to employ the RUST programing language, which is considered to be more secure.

According to the FBI, “BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim system. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware.” The FLASH includes further technical details regarding this activity and lists recommended mitigations. It also encourages partners to report suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 CyberWatch (CyWatch) at (855)292-3937 or Cy*****@*bi.gov.

Access the FLASH Below.