TTPs for  Alphv



Sponsored by Hudson RockUse Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are impacting your business

Initial Access (TA0001) Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005) Credential Access (TA0006) Exfiltration (TA0010) Impact (TA0040)
Valid Accounts (T1078)
In some attacks, threat actors utilized ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
Native API (T1106)
BlackCat uses native API.
Valid Accounts (T1078)
Legitimate accounts obtained by adversaries may be used to ensure persistence in the compromised infrastructure.
Access Token Manipulation: Create Process with Token (T1134.002)
To escalate privileges, BlackCat ransomware may initiate its process using stolen authentication data and the CreateProcessWithLogonW function.
Obfuscated Files or Information (T1027)
BlackCat ransomware uses obfuscation.
Credentials from Password Stores (T1555)
Adversaries may use NirSoft utilities to extract authentication data from web browsers and other storage spaces.
Exfiltration Over C2 Channel (T1041)
When using Cobalt Strike, attackers can send collected information through the Cobalt Strike server communication channels.
Data Destruction (T1485)
If credentials to access a victim's chat leak, BlackCat affiliates can delete encryption keys, rendering file decryption impossible.
External Remote Services (T1133)
As an initial attack vector, insecure RDP and VPNs were exploited.
Scheduled Task/Job (T1053)
When deploying ransomware on the victim's network infrastructure, BlackCat affiliates may leverage group policies, resulting in the creation of a scheduled task (on each host) initiating the ransomware.
Server Software Component (T1547)
Successful exploitation of ProxyShell vulnerabilities allowed adversaries to place a web shell on a vulnerable Microsoft Exchange server.
Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)
To bypass UAC, BlackCat ransomware may elevate privileges using the ICMLuaUtil COM interface, as well as utilize the Masquerade PEB method.
Impair Defenses: Disable or Modify Tools (T1562.001)
To avoid detection, adversaries terminate processes and services related to security software and antivirus.
Unsecured Credentials (T1552)
Adversaries may use NirSoft utilities to obtain authentication data from registry and file.
Automated Exfiltration (T1020)
After access is obtained, files from target hosts are automatically uploaded to the legitimate cloud storage service MEGA using the Rclone utility.
Data Encrypted for Impact (T1486)
BlackCat encrypts the content of files on the local system as well as on available network resources.
Exploit Public-Facing Application (T1190)
BlackCat affiliates may purchase access to victims' network infrastructure on underground forums.
Command and Scripting Interpreter: Windows Command Shell (T1059.003)
LockBit affiliates use batch scripts to execute malicious commands.
Valid Accounts (T1078)
To escalate privileges, BlackCat may use stolen legitimate accounts specified in configuration data.
Indicator Removal: Clear Windows Event Logs (T1070.001)
Using wevtutil, BlackCat can clear all Windows event logs on a compromised host.
OS Credential Dumping: LSASS Memory (T1003.001)
Adversaries may dump the LSASS process to obtain authentication data using legitimate tools (procdump, comsvcs.dll).
Data Transfer Size Limits (T1030)
To avoid exceeding data size limits and triggering security controls, stolen data may be sent in fixed-size blocks.
Service Stop (T1489)
BlackCat stops security, backup, database, email, and other specified services in the configuration.
Command and Scripting Interpreter: PowerShell (T1059.001)
To disrupt IIS, delete volume shadow copies, disable recovery, clear Windows event logs, etc., BlackCat ransomware utilizes command shell to execute appropriate commands.
Deobfuscate/Decode Files or Information (T1140)
BlackCat decrypts configuration data, as well as decrypts and unpacks legitimate PsExec utility and an additional BAT file contained within the ransomware body.
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002)
Attackers may use the ExMatter exfiltration tool, which sends stolen data to specified SFTP and WebDav resources in the ExMatter configuration.
Inhibit System Recovery (T1490)
BlackCat deletes Windows volume shadow copies using vssadmin and wmic, disables recovery in the Windows boot menu using bccedit, and empties the Recycle Bin. BlackCat can stop backup services and destroy virtual machine snapshots.
System Services: Service Execution (T1569.002)
BlackCat Ransomware for Windows can self-propagate on the local network using legitimate PsExec utility (contained within its body), which creates a temporary system service.
Virtualization/Sandbox Evasion (T1497)
For anti-analysis (including in a sandbox), ALPHV MORPH checks the access token value of the command line parameter. Its value must contain the correct first 16 characters used to decrypt BlackCat's configuration data.
Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)
Attackers use the Rclone sync utility to upload stolen data to the legitimate cloud storage service MEGA.
Network Denial of Service (T1498)
If the victim refuses to pay the ransom, BlackCat may conduct DDoS attacks against the victim's infrastructure.
Windows Management Instrumentation (T1072)
Adversaries may use wmic to gather information and execute various commands, including deleting volume shadow copies. They may also use Impacket's wmiexec module to execute commands and move laterally across the network.
Masquerading (T1036)
Adversaries use a renamed SoftPerfect Network Scanner executable to svchost.exe.
Modify Registry (T1112)
To propagate, BlackCat uses PsExec to modify the MaxMpxCt system registry parameter to increase the number of failed network requests for each client.

This information is provided by Crocodyli or Ransomware.live