A report from cybersecurity researchers Sophos claims the attackers are using a new variant of a known ransomware strain in their attacks.
The report was based on an analysis of a victim which was also a client of Sophos. When the company investigated a breach, it discovered that the attackers gained access to the Sophos Central account using a stolen One-Time Password (OTP). The OTP was taken from the victim’s LastPass vault, via the Chrome extension, it was added. Then, the attackers used the newly gained access to disable Tamper Protection and modify various security policies.
After that, the group encrypted the victim’s systems and went for remote Azure cloud storage. Everything was encrypted with the .zk09cvt extension, totaling 39 Azure Storage accounts.
ALPHV managed to access the victims’ Azre portals via a stolen key, the report says. The key was injected within the ransomware binary, after being encoded using Base64, BleepingComputer explained.
BlackCat, or ALPHV, is a ransomware-as-a-service provider, a group that rents its encryptor and the surrounding infrastructure to whichever cybercrime group can afford it. Recently, a group known as Scattered Spider was observed using this encryptor against at least one target – a Las Vegas casino.
Through the years, ransomware attacks have evolved. They first started with simple file encryptions, and when organizations set up backups, crooks started stealing those and threatening to release sensitive data unless the payment was made. These days, some groups decide now to deploy the encryptor in the first place, claiming the entire process is too expensive and cumbersome, especially when it comes to maintaining and deploying the encryptor. Instead, they just steal important information and threaten to release it.