The developer or developer behind the ransomware as a service (RaaS), known as ALPHV, BlackCat, and Noberus, has worked hard to refine its tactics, techniques, and procedures (TTPs) and today is probably more dangerous than ever, according to intelligence from Symantec.
The ALPHV/BlackCat/Noberus operation – tracked by Symantec as Coreid (also known as FIN7, Carbon Spider) – is a long-established and major player in the broader family of Russian-linked or based ransomware teams and affiliates, many of the which are linked through a murky and often difficult-to-decipher web of alliances and interconnections.
It is known to date back at least a decade when it established the use of a malware called Carbanak, but these days it is more famous for its ransomware operation, with alleged ties to the BlackMatter group, which itself was inspired by the DarkSide operation. who delivered Colonial Pipeline and, through them, possibly REvil.
ALPHV/BlackCat/Noberus ransomware gained notoriety in early 2022 with a series of audacious thefts targeting fuel logistics and transportation service operators in Europe and educational institutions in the US.
The malware itself is encoded in Oxideone of a group of cross-platform languages that RaaS operators increasingly value for their flexibility and ability to quickly and easily target Windows and Linux environments.
Now, Symantec says he has observed a series of major updates to the ransomware and the general modus operandi of Coreid.
“Continuous updating and refinement of Noberus operations shows that Coreid is constantly adapting its ransomware operation to ensure it remains as effective as possible,” the Symantec team wrote.
“The FBI issued a warning in April 2022 saying that between November 2021 and March 2022, at least 60 organizations worldwide had been compromised with Noberus ransomware; the number of victims is now likely to be many multiples of that.”
A new update, released in June 2022, included an ARM build to encrypt non-standard architectures and introduced a feature that adds new encryption functionality to your Windows build by rebooting to safe mode and safe mode with networking.
It also updated the locker itself, adding new reset logic and simplifying the Linux encryption process. A further update in July added stolen data indexing, making the group’s data leak websites searchable by parameters including keywords and file types.
But the group did not stop there. In August, Symantec says it observed an updated version of the Exmatter data exfiltration tool being used in conjunction with ALPHV/BlackCat/Noberus in attacks; it has previously been seen to be used in conjunction with BlackMatter ransomware, which is designed to steal specific file types from selected directories. and upload them to the attacker’s server before the ransomware deployment.
Starting this summer, Exmatter includes improvements to the types of files it steals, the addition of File Transfer Protocol (FTP) capabilities in addition to SFTO and WebDav, the ability to create reports that list files processed, the ability to corrupt them and a self-destruct option, among other things. It has also been extensively rewritten, possibly in an attempt to avoid detection.
An ALPHV/BlackCat/Noberus affiliate has also been observed using the Eamfo data stealer to target credentials stored by Veeam backup software; it does this by connecting to the Veeam SQL database and performing a specific query, and may also have been used by LockBit and Yanluowang.
Targeting Veeam for credential theft is an established technique that is useful from a malicious standpoint because it allows for privilege escalation and lateral movement, and thus provides one more access to data to steal and encrypt.
“There is no question that Coreid is one of the most dangerous and active ransomware developers operating right now,” the Symantec team wrote.
“The group has been around since 2012 and became known for using its Carbanak malware to steal money from organizations around the world, with the banking, hospitality and retail sectors among its preferred targets. Three members of the group were arrested in 2018, and in 2020 the group changed its tactics and launched its ransomware-as-a-service operation.
“The continued development of its ransomware and affiliate programs indicates that this sophisticated and well-resourced attacker has little intention of going anywhere anytime soon,” they said.