As the pursuit of the notorious 'ALPHV/BlackCat' ransomware collective intensifies by law enforcement agencies, the group has launched a formidable attack against VF Corporation, a leading name in the American apparel industry. Details of the breach were revealed in recent regulatory disclosures by VF Corporation, highlighting the compromise of personal information pertaining to tens of millions of individuals.
Behind the Headlines
VF Corporation (VF), the manufacturer of popular brands such as The North Face, Vans and Timberland recently confirmed a breach which occurred in December 2023. The filing in the Securities and Exchange Commission (SEC) form by VF regarding the data breach mentioned the incident had a material impact on the company's business operations. It stated the hackers disrupted VF’s operations by encrypting some of its IT systems, implying a ransomware attack. However, the filing did not explicitly confirm that it was a ransomware attack or mention the name of the ransomware gang involved.
The ALPHV ransomware gang, a Russia-linked group known for its ransomware-as-a-service (RaaS) model, has since claimed responsibility, posting about it on their dark web blog. The gang typically employs a double extortion tactic where sensitive data is stolen before encryption, with threats to release the data unless a ransom is paid.
The breach forced VF to shut down parts of its IT infrastructure, including delays to inventory replenishment, shipments and order fulfillment. The company's e-commerce sites were also affected, leading to a slowdown in demand and some customers canceling orders. The attack resulted in the exposure of personal information belonging to approximately 35.5 million individual consumers.
VF responded to the breach by taking immediate action to mitigate the impact and restore its IT systems and turned to the FBI for support. While there were minor residual impacts from the cyber incident, VF indicated that it was actively working to address these issues. Additionally, they have acknowledged the operational disruptions and delays in fulfilling orders caused by the breach. However, the company stated that it had caught up on fulfilling the delayed orders, indicating its commitment to minimizing the impact on its customers and business operations.
ALPHV criticized VF for involving law enforcement, particularly the FBI, mentioning in a post that VF tried to obtain a decryptor from law enforcement to combat ALPHV's malware. The release of a decryptor for ALPHV's ransomware nullified some of the efforts to extort victims and demonstrated that the gang is not invincible. However, it is unclear if VF was able to benefit from the decryptor or if their files remain encrypted.
The net loses in on ALPHV
The U.S. Department of Justice (DOJ), in collaboration with the FBI, Europol, and other international partners from Denmark, Germany, the UK, the Netherlands, Australia, Spain, and Austria recently launched a successful and significant operation against the ALPHV ransomware group. ALPHV's operations were infiltrated by engaging with a confidential human source who became an affiliate of their ransomware operation. This inside access allowed the FBI to seize control of the operation’s websites and associated URLs, significantly disrupting their activities.
During their investigation, the FBI obtained 946 private and public key pairs associated with ALPHV's Tor negotiation sites, data leak sites and management panel. These keys were saved to a USB flash drive and stored in Florida. The DOJ estimated that ALPHV had extorted around $300 million from approximately 1,000 victims.
The FBI created a decryption tool that was distributed to over 500 victims across the globe, enabling them to recover their data without paying the ransom. This effort saved victims approximately $68 million in total ransom demands. This operation has been a significant blow to ALPHV, disrupting its ability to conduct attacks and undermining its credibility among affiliates, however the group has since taken back control of its operations.
LockBit attempts to capitalize on the disruption
In response to the operational security failures of ALPHV, LockBit saw an opportunity to expand its own operations. LockBit has attempted to recruit affiliates from ALPHV, offering the use of its data leak site and negotiation panel to continue their extortion efforts. This move indicates a strategic approach to seize any advantage arising from the vulnerabilities or failures of rival groups within the ransomware ecosystem. At least one victim previously listed on the ALPHV site has now been listed on the LockBit site.
This situation highlights the competitive and opportunistic nature of ransomware groups, which not only target victims for financial gain but also compete with each other for affiliates and technological infrastructure. It also illustrates broader challenges within the cybersecurity landscape, where the disruption of one ransomware group can lead to the strengthening of another. Furthermore, LockBit’s approach of running efficient operations and maintaining a stringent vetting process for its affiliates, underscores the organized and business-like structure of these cybercriminal operations.
As ransomware groups adapt and evolve their tactics, the cybersecurity community must remain vigilant and proactive in developing and implementing strategies to protect against these threats.
The complete tables of IOCs detected for the malware ALPHV, can be found in the following link: