ALPHV's ransomware makes it easy to search data from targets who do not pay

Search Close

Account Information

Reset password

An email has been sent to you with instructions on how to reset your password.

Back to TechRepublic

Welcome to TechRepublic!

By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.

You will also receive a complimentary subscription to TechRepublic's News and Special Offers newsletter and the Top Story of the Day newsletter. You may unsubscribe from these newsletters at any time.

All fields are required. Username must be unique. Password must be a minimum of 6 characters and have any 3 of the 4 items: a number (0 through 9), a special character (such as !, $, #, %), an uppercase character (A through Z) or a lowercase (a through z) character (no spaces).

ALPHV, also known as BlackCat, is a ransomware developed in the Rust programming language, which makes it easier to compile and customize for various different operating systems, therefore widening the range of possible targets for the threat actor. Rust is also a more secure programming language, with improved performances and reliability. The use of Rust is still quite uncommon when it comes to malware development.

The group has targeted more than 60 organizations around the world, including those in the U.S., gaining traction since late 2021. It operates using a Ransomware-as-a-Service business model, which means the group provides malware code and infrastructure to affiliates who are then in charge of attacking targets. Many of the developers and money launderers for ALPHV are actually linked to Darkside and Blackmatter ransomware groups, according to the FBI.

Extortion technique update

The threat actor has been using multiple extortion techniques, one of them being to exfiltrate data from the target and spread that data on a leak site if the victim does not want to pay the ransom, which typically falls between $400K and $3M in cryptocurrencies such as Monero or Bitcoin.

The group has also decided to use a new method to put even more pressure on its targets: Provide a search engine for their victims’ data leaks, as revealed in a new publication from Cyble.

One recent victim of the ALPHV threat actor saw them create a specific domain using the victim’s name with a .xyz domain extension, which the attackers then used to allow searching for that victim’s social security number, date of birth and email address (Figure A).

Figure A

Image: Cyble. ALPHV provides links to a searchable database of a target’s private information.

So far, Cyble only came across one single victim on whom this technique has been used, and it seems the threat actor decided to rethink this strategy of creating multiple domain names for targets. Instead, they posted a message to their affiliates to indicate that they will use a single hosting resource (Figure B).

Figure B

Image: Cyble. ALPHV support tells its affiliates about the new “breech-surfing” resource.

As can be read, the ALPHV threat actor indicates that all future targets’ data will be indexed and searchable by wildcard, filename and content. This way, the data will be “more usable for the cybercriminal community” and “make companies reconsider their attitude towards leaks.”

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

According to a screen capture from Cyble, the searchable database created by ALPHV is already available and has been dubbed ALPHV Collections. (Figure C)

Figure C

Image: Cyble. ALPHV Collections is a searchable database that will contain all leaks from targets who do not pay the ransom.

The idea of a searchable database is well thought. It can be difficult or tedious to download full databases from ransomware leaks, so it will be much easier for the attacker’s to just query the database without having to download it all, increasing the scope of the attack.

ALPHV Collections’ risk to the supply chain

As mentioned by Cyble researchers, multiple incidents in the past showed threat actors leveraging leaked credentials to conduct supply chain attacks. The searchable database from ALPHV could allow other threat actors to conduct such attacks easily, with valid credentials contained in the database. Should passwords be stored in clear text, any attacker might just query the ALPHV Collections database and get fully functional credentials for different companies or services.

What can be done against this threat?

All operating systems, devices and software should always be kept up to date and patched. Sensitive data should be stored encrypted — especially credentials.

Multi-factor authentication should be enabled for all services facing the Internet. User privileges should be restricted to the sole content they need for their professional activity.

Security solutions and antivirus software, especially on endpoints, should be deployed, together with Intrusion Prevention Systems and Intrusion Detection Systems. Email protection and anti-phishing solutions should also be deployed.

A safe offline backup plan must be ready to restore any sensitive data loss.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits, and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Innovation

Gartner identifies 25 emerging technologies in its 2022 hype cycle

The technologies could enable immersive experiences, accelerated AI automation and optimized technologist delivery in the next two to 10 years, according to the firm.

ERP analytics — Image: BillionPhotos.com/Adobe Stock

CXO

Top 10 ERP vendors 2022

Are you an IT manager or executive trying to make the case for a new ERP vendor? Compare the top ERP software solutions with our list today.

Image: Apple. At WWDC 2022, Apple announced the planned release of the next version of its Mac operating system, macOS Ventura, for the fall of 2022.

Software

macOS 13 Ventura cheat sheet: Complete guide for 2022

Learn about the new features available with macOS 13 and how to download and install the latest version of Apple’s flagship operating system.

shopping cart full of electronics and tech in front of a phone with the text Online Sale Limited Time Offer to the right — Image: elenabsl/Adobe Stock

Software

Top TechRepublic Academy training courses and software offerings of 2022

Get great deals on developer and Linux training courses, Microsoft Office licenses and more through these TechRepublic Academy offerings.

Cloud

Multicloud explained: A cheat sheet

This comprehensive guide covers the use of services from multiple cloud vendors, including the benefits businesses gain and the challenges IT teams face when using multicloud.

Recruiting a Scrum Master with the right combination of technical expertise and experience will require a comprehensive screening process. This hiring kit provides a customizable framework your business can use to find, recruit and ultimately hire the right person for the job. This hiring kit from TechRepublic Premium includes a job description, sample interview questions ...

Knowing the terminology associated with Web 3.0 is going to be vital to every IT administrator, developer, network engineer, manager and decision maker in business. This quick glossary will introduce and explain concepts and terms vital to understanding Web 3.0 and the technology that drives and supports it.

While the perfect color palette or the most sublime button shading or myriad of other design features play an important role in any product’s success, user interface design is not enough. Customer engagement and retention requires a strategic plan that attempts to measure, quantify and ultimately create a complete satisfying user experience on both an ...

ALPHV’s ransomware makes it easy to search data from targets who do not pay