BlackCat Ransomware Strikes Azure Cloud Storage with New Sphynx Variant

Introduction

In a concerning development, the notorious BlackCat (formerly known as ALPHV) ransomware gang has resurfaced with a fresh wave of attacks. This time, they have adopted a more sophisticated approach, utilizing stolen Microsoft accounts and a newly spotted Sphynx encryptor to encrypt their victims' Azure cloud storage. The following article delves into the details of this recent breach and the evolving tactics employed by the BlackCat ransomware gang.

The Sphynx Variant Emerges

Sophos X-Ops incident responders, while investigating a recent security breach, uncovered the use of a new variant of the Sphynx ransomware by the attackers. This variant comes with enhanced capabilities, including the ability to utilize custom credentials for intrusion.

Infiltration and Tampering

The attackers gained access to a Sophos Central account by exploiting a stolen One-Time Password (OTP). Once inside, they disabled Tamper Protection and modified security policies, effectively circumventing the victim's defenses. Notably, they acquired the OTP from the victim's LastPass vault through the LastPass Chrome extension.

Subsequently, the attackers launched their ransomware campaign, encrypting not only the Sophos customer's systems but also their remote Azure cloud storage. All encrypted files were marked with the .zk09cvt extension. Astonishingly, the ransomware operators managed to encrypt a total of 39 Azure Storage accounts.

Azure Portal Compromise

To further their malicious agenda, the attackers infiltrated the victim's Azure portal using a stolen Azure key, which granted them access to the targeted storage accounts. These keys were ingeniously inserted into the ransomware binary after being encoded using Base64.

Use of Remote Monitoring and Management (RMM) Tools

Throughout the intrusion, the attackers leveraged multiple Remote Monitoring and Management (RMM) tools, including AnyDesk, Splashtop, and Atera. These tools likely facilitated their access and control over the compromised systems.

Sphynx Variant Unveiled

Sophos initially detected the Sphynx variant in March 2023 during an investigation into a data breach that bore striking similarities to another attack detailed in an IBM-Xforce report published in May. The ExMatter tool was used in both instances to extract stolen data.

Microsoft's Findings

In a separate development, Microsoft recently uncovered that the new Sphynx encryptor is embedded with the Remcom hacking tool and the Impacket networking framework. These additions enable lateral movement across compromised networks, expanding the ransomware's reach.

BlackCat's Dark History

The BlackCat (formerly DarkSide/BlackMatter) ransomware gang first gained global notoriety in November 2021 when they breached the Colonial Pipeline, prompting international law enforcement agencies to intensify their efforts against the group.

The gang rebranded as BlackMatter in July 2021 but faced a setback in November when authorities seized their servers, and security firm Emsisoft developed a decryption tool. Despite these setbacks, BlackCat remains a formidable and adaptable ransomware outfit, consistently targeting global enterprises.

Evolution of Tactics

The group has continuously adapted and refined its tactics. Last summer, they introduced a novel extortion approach, utilizing a dedicated clear web website to leak stolen data, allowing victims' customers and employees to check if their data had been exposed. More recently, in July, BlackCat introduced a data leak API to streamline the dissemination of stolen data.

Recent Attack on MGM Resorts

In a recent development, one of the gang's affiliates, known as Scattered Spider, claimed responsibility for an attack on MGM Resorts. They encrypted over 100 ESXi hypervisors after the company took down its internal infrastructure and refused to negotiate a ransom payment.

FBI's Warning

Notably, in April, the FBI issued a warning, identifying the BlackCat gang as responsible for successful breaches of over 60 entities worldwide between November 2021 and March 2022.

In conclusion, the BlackCat ransomware gang, once known as DarkSide, remains a formidable and evolving threat to enterprises worldwide. Their recent use of the Sphynx variant, combined with advanced techniques and tools, underscores the urgent need for enhanced cybersecurity measures to protect against such insidious attacks.