alphv

T1078Valid Accounts

In some attacks, threat actors utilized ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

T1133External Remote Services

As an initial attack vector, insecure RDP and VPNs were exploited.

T1190Exploit Public-Facing Application

BlackCat affiliates may purchase access to victims' network infrastructure on underground forums.

T1053Scheduled Task/Job

When deploying ransomware on the victim's network infrastructure, BlackCat affiliates may leverage group policies, resulting in the creation of a scheduled task (on each host) initiating the ransomware.

T1059.001Command and Scripting Interpreter: PowerShell

To disrupt IIS, delete volume shadow copies, disable recovery, clear Windows event logs, etc., BlackCat ransomware utilizes command shell to execute appropriate commands.

T1059.003Command and Scripting Interpreter: Windows Command Shell

LockBit affiliates use batch scripts to execute malicious commands.

T1072Windows Management Instrumentation

Adversaries may use wmic to gather information and execute various commands, including deleting volume shadow copies. They may also use Impacket's wmiexec module to execute commands and move laterally across the network.

T1106Native API

BlackCat uses native API.

T1569.002System Services: Service Execution

BlackCat Ransomware for Windows can self-propagate on the local network using legitimate PsExec utility (contained within its body), which creates a temporary system service.

T1078Valid Accounts

Legitimate accounts obtained by adversaries may be used to ensure persistence in the compromised infrastructure.

T1547Server Software Component

Successful exploitation of ProxyShell vulnerabilities allowed adversaries to place a web shell on a vulnerable Microsoft Exchange server.

T1078Valid Accounts

To escalate privileges, BlackCat may use stolen legitimate accounts specified in configuration data.

T1134.002Access Token Manipulation: Create Process with Token

To escalate privileges, BlackCat ransomware may initiate its process using stolen authentication data and the CreateProcessWithLogonW function.

T1548.002Abuse Elevation Control Mechanism: Bypass User Account Control

To bypass UAC, BlackCat ransomware may elevate privileges using the ICMLuaUtil COM interface, as well as utilize the Masquerade PEB method.

T1027Obfuscated Files or Information

BlackCat ransomware uses obfuscation.

T1036Masquerading

Adversaries use a renamed SoftPerfect Network Scanner executable to svchost.exe.

T1070.001Indicator Removal: Clear Windows Event Logs

Using wevtutil, BlackCat can clear all Windows event logs on a compromised host.

T1112Modify Registry

To propagate, BlackCat uses PsExec to modify the MaxMpxCt system registry parameter to increase the number of failed network requests for each client.

T1140Deobfuscate/Decode Files or Information

BlackCat decrypts configuration data, as well as decrypts and unpacks legitimate PsExec utility and an additional BAT file contained within the ransomware body.

T1497Virtualization/Sandbox Evasion

For anti-analysis (including in a sandbox), ALPHV MORPH checks the access token value of the command line parameter. Its value must contain the correct first 16 characters used to decrypt BlackCat's configuration data.

T1562.001Impair Defenses: Disable or Modify Tools

To avoid detection, adversaries terminate processes and services related to security software and antivirus.

T1003.001OS Credential Dumping: LSASS Memory

Adversaries may dump the LSASS process to obtain authentication data using legitimate tools (procdump, comsvcs.dll).

T1552Unsecured Credentials

Adversaries may use NirSoft utilities to obtain authentication data from registry and file.

T1555Credentials from Password Stores

Adversaries may use NirSoft utilities to extract authentication data from web browsers and other storage spaces.

T1020Automated Exfiltration

After access is obtained, files from target hosts are automatically uploaded to the legitimate cloud storage service MEGA using the Rclone utility.

T1030Data Transfer Size Limits

To avoid exceeding data size limits and triggering security controls, stolen data may be sent in fixed-size blocks.

T1041Exfiltration Over C2 Channel

When using Cobalt Strike, attackers can send collected information through the Cobalt Strike server communication channels.

T1048.002Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Attackers may use the ExMatter exfiltration tool, which sends stolen data to specified SFTP and WebDav resources in the ExMatter configuration.

T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage

Attackers use the Rclone sync utility to upload stolen data to the legitimate cloud storage service MEGA.

T1485Data Destruction

If credentials to access a victim's chat leak, BlackCat affiliates can delete encryption keys, rendering file decryption impossible.

T1486Data Encrypted for Impact

BlackCat encrypts the content of files on the local system as well as on available network resources.

T1489Service Stop

BlackCat stops security, backup, database, email, and other specified services in the configuration.

T1490Inhibit System Recovery

BlackCat deletes Windows volume shadow copies using vssadmin and wmic, disables recovery in the Windows boot menu using bccedit, and empties the Recycle Bin. BlackCat can stop backup services and destroy virtual machine snapshots.

T1498Network Denial of Service

If the victim refuses to pay the ransom, BlackCat may conduct DDoS attacks against the victim's infrastructure.