)
One week after the FBI announced it had seized the leak site of ‘ALPHV/BlackCat’, the ransomware group announced an attack on U.S. defense contractor Ultra Intelligence & Communication. In the same time frame, Cybersixgill observed discussions about ALPHV forming a cartel with ransomware powerhouse ‘LockBit.’
THE HEADLINE
On December 27, 2023, the ALPHV/BlackCat ransomware gang announced a major attack on Ultra Intelligence & Communications (Ultra), a U.S. Department of Defense (DOD) contractor involved in projects related to the digital battlespace. While Ultra did not immediately publicly respond to the attack, ALPHV provided on its dedicated leak site (DLS) a lengthy description of the data it allegedly stole, including sample documents.
Ultra was one of 15 victims added to ALPHV’s DLS following a major announcement from the U.S. Department of Justice (DOJ) on December 19, 2023. According to the DOJ, the FBI successfully disrupted the operations of ALPHV, which has attacked over 1,000 victims. In addition to developing a decryption tool that allowed 500 ALPHV victims to restore encrypted systems, the FBI also accessed ALPHV's backend panel via an informant and took control of the domains for ALPHV’s DLS, adding a seizure banner announcing the operation.
ALPHV "unseized" the leak site just hours later, however, since both the gang and the FBI now possess the leak site's private keys for the gang’s DLS, negotiation sites, and panel. Subsequently, ALPHV announced that it moved its servers and leak site, which appears to be currently fully operational.
In light of the FBI’s announcement, ALPHV’s future remains uncertain. While the RaaS gang appears to be posting victims without interruption, the new DLS could be a honeypot designed to perform surveillance on visitors in order to catch additional threat actors or collect intelligence.
DIVING DEEPER
With regard to the attack itself, ALPHV claimed it breached Ultra’s network and stole about 30G of data, alluding to persistence prior to detection. This claim is designed to cast aspersions on Ultra’s security practices and imply that the defense contractor failed to detect the presence of intruders on its system for a significant period of time. Such claims could be detrimental for a defense contractor who provides security and intelligence services to entities such as the DOD. Predictably, ALPHV shamed Ultra for these purported shortcomings, a common tactic for the RaaS operation.
ALPHV also made wide-ranging claims with regard to the number of organizations affected by the leak. Among the data that ALPHV allegedly stole was information related to Ultra’s revenues and gross margins, cashflow, bank statements, financial data, credit card statements, accounts payable/receivable statements, project data, and engineering data.
Cybersixgill also observed chatter on the underground related to the formation of a ransomware cartel. The idea was floated by both ALPHV and RaaS powerhouse LockBit on a popular forum. The idea was initially proposed by LockBit spokesperson LockBitSupp, who claimed a cartel was necessary to counteract alliances formed by law enforcement agencies from across the world. According to LockBitSupp, groups like ALPHV and LockBitSupp “must stick together so that [they] are not extinguished one by one.”
TAKEAWAYS
While ALPHV has continued to evolve as an innovative ransomware operation for several years, its fate remains uncertain in light of recent law enforcement operations targeting the group. Whether or not a LockBit alliance can assist ALPHV in remaining one step ahead of the authorities remains to be seen. If past attempts at such cartels are any indication, long lasting alliances among threat actors remain an elusive goal for cybercriminals.
With the threat posed by ransomware gangs, all organizations should implement robust security standards on their corporate environments to safeguard against attacks. This includes multi-factor authentication (MFA) processes to add another layer of security, making it more difficult for cybercriminals to access corporate devices and accounts.
Organizations should also instruct employees not to click suspicious links or attachments and implement regular security training to raise employees’ awareness so that social engineering attacks can be thwarted. Finally, organizations should evaluate risks of all third-party vendors, contractors and partners that manage data by monitoring their assets on the Cybersixgill Investigative Portal for a more proactive detection approach.
)
)
)
)