In recent weeks, there has been a surge in cyberattacks attributed to the ALPHV ransomware group. Some of the group’s latest hits include attacks against Tipalti, MGM Resorts, Caesars Entertainment, Clorox, McClaren Health Care, Fidelity National Financial, Five Guys, Estée Lauder, and NCR. This Cybersecurity Threat Advisory shares how robust cybersecurity hygiene can protect against ransomware attacks.
What is the threat?
The ALPHV ransomware group first appeared on the ransomware scene in November 2021. According to the FBI, the ALPHV/BlackCat gang compromised 60 businesses and other public entities between November 2021 and March 2022. They are linked to several of the highest-profile attacks of late.
Why is it noteworthy?
The ALPHV/BlackCat group’s ability to compromise systems within highly regulated industries raises concerns about the potential for severe financial and reputational damage. Unlike many other ransomware threats, ALPHV was developed using Rust. This is a programming language known for its fast performance and cross-platform capabilities. This has led to both Linux and Windows variants being observed throughout December 2021 and January 2022.
What is the exposure or risk?
The group uses tried-and-tested techniques to penetrate a victim’s network such as exploiting common vulnerabilities in network infrastructure devices like the VPN gateways and credential misuse via exposed remote desktop protocol (RDP) hosts. Subsequently, it’s been observed that they use PowerShell to modify Windows Defender security settings throughout the victim’s network, as well as launching the ransomware binary on multiple hosts using PsExec.
What are the recommendations?
Barracuda MSP recommends the following security measures:
- Provide security awareness training that includes browser-based attacks, such as fake advertising. These attacks are leading to ransomware intrusions and info stealers that may enable ransomware intrusions later.
- Implement attack surface reduction rules around script files such as .js and .vbs. Note: some attacks may arrive in .ISO files, the “Mark of the Web” is lost and Attack Surface Reduction rules are unable to detect the files from the Internet.
- Employ comprehensive 24×7 endpoint detection and response to protect against malicious attacks. Ransomware attacks tend to make it further down the kill-chain when they begin on endpoints that are out of scope for endpoint protection.
- Employ logging to ensure you are capturing telemetry – especially for devices and services that don’t support an endpoint agent, including VPN, device enrollment, and server software for applications that don’t generate endpoint telemetry, like Citrix, IIS, and cloud services.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/tipalti-investigates-claims-of-data-stolen-in-ransomware-attack
- https://www.cybersecuritydive.com/news/tipalti-investigates-ransomware-supply-chain-attack/701516/
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.