Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
In late 2021, we observed a new ransomware operation named “ALPHV” (also known as BlackCat) emerge. The group operates as a ransomware-as-a-service (RaaS) program and much like other ransomware groups active today, it practices the double-extortion method, threatening to publish victims’ data on its data-leak website, in addition to encrypting their systems. What makes ALPHV unique is that the ransomware was written in the RUST programming language, making it the first ransomware group to successfully develop and use a RUST-based ransomware. Since ALPHV was released, the group has posted close to 100 victims to its data-leak site, and it remains highly active at the time of writing.
Over the past month, Digital Shadows (now ReliaQuest) has been closely monitoring ALPHV, due to the uniqueness of the group and its recent burst in activity, posting more than 30 organizations to its data-leak site over the past month. In this blog, we will cover the ALPHV affiliate program, explain how ALPHV operates, and the history of the group.
One of the first public appearances of ALPHV occurred on the RAMP cybercriminal forum on 09 Dec 2021, where a representative of the group promoted the ALPHV RaaS program and attempted to recruit affiliates. In this post, ALPHV operators advertised the new “ALPHV-ng (New Generation)” RaaS partner program, which they described as the next generation of ransomware. The ransomware had been written from scratch and have many features, including:
The representative also claimed that ALPHV had fixed gaps that other ransomware variants like “LockBit”, “REvil” , and “Conti” had not accounted for. They also alluded to their method for moving money with cryptocurrency, claiming that they have a “built-in mixer” that provides a break in tracking blockchain transactions.
The representative also stated that the group would not tolerate inactivity. Any affiliates who did not perform any activity for two weeks would have their accounts frozen and subsequently deleted. In addition, targeting of countries in the Commonwealth of Independent States (CIS) region was strictly prohibited, also including China, Taiwan, Hong Kong, and Turkey.
The payout rate for affiliates was described to be “dynamic” and “depend on the amount of a single payment from each company”:
ALPHV continued with its recruiting efforts since then, making posts seeking for “experienced pentesters, of the level you haven’t seen before” in December 2021, and a post seeking for initial access brokers (IABs) in March 2022. The group’s primary method of communication and recruiting remained the RAMP cybercriminal forum, which is a Russian-language forum that is focused on ransomware.
The affiliate program received positive feedback from users on RAMP. Digital Shadows (now ReliaQuest) observed many users on RAMP speaking highly about the professionalism of the group and effectiveness of its tools. For example, one user stated that ALPHV ransomware was a “very quality, comfortable, and quick software” and “the best” partner program they have ever worked with. However, other users were more skeptical and warned that ALPHV was not a partner program for beginners.
ALPHV’s ransomware is written in the Rust programming language, which is considered to be one of the more secure programming languages. Most ransomware groups use ransomware written in JavaScript or C++. ALPHV’s use of Rust-based ransomware is likely pragmatic—it enables ALPHV to increase its defense-evasion capabilities, avoid code similarities with other ransomware operations, and improve its performance.
ALPHV likely uses multiple techniques to gain initial access to its target. As the RaaS program relies on affiliates to distribute its ransomware, these techniques are expected to differentiate depending on the affiliate. Common Initial access vectors include the exploitation of common vulnerabilities and compromised credentials. It is also likely that ALPHV affiliates are using access to compromised networks provided by initial access brokers, to gain a foothold in victims’ environments.
The FBI stated that ALPHV has been known to leverage compromised user credentials to gain initial access, and once it established that access, it compromised Active Directory user and admin accounts. The malware then used Windows Task Scheduler to deploy the ALPHV ransomware via malicious Group Policy Objects (GPOs). ALPHV leveraged PowerShell scripts and Cobalt Strike in its initial deployment, and it also leveraged Windows admin tools and Sysinternals during compromise.
ALPHV has also been observed using various additional evasion techniques to disable system defenses that may cause issues for the encryption process. To maintain persistent access in a victim’s environment, ALPHV carefully avoids shutting down critical processes and application folders.
ALPHV affiliates conducted reconnaissance within the compromised networks. This includes identifying sensitive data for exfiltration and high-value systems to encrypt. The ransomware then attempted to exfiltrate the victim’s information, including data stored by cloud providers, prior to encrypting data.
Following successful exfiltration and encryption of files and data, ALPHV leaves a customized ransom note behind (see Figure 1). The note details the amount and type of stolen data, instructions to contact the ransomware group and recover the data, and a URL for its data-leak website, where stolen files will be released if ransom demands are not met.
ALPHV has been associated with two other ransomware groups: DarkSide and BlackMatter. Design overlaps between ALPHV and DarkSide have prompted rumors that ALPHV was a rebrand of DarkSide following the latter’s high-profile attack on the Colonial Pipeline. On underground cybercriminal forums, the representative of the “LockBit” ransomware also initiated threads to state that ALPHV was a rebrand of DarkSide and BlackMatter RaaS programs.
While ALPHV denied to be a rebrand of DarkSide or BlackMatter, developers and money launderers from ALPHV are linked to DarkSide/BlackMatter, according to the FBI. Therefore, while ALPHV may not be a rebrand, it is likely that the group recruited many members from these now inactive ransomware gangs.
Links between ALPHV and other ransomware cannot be ascertained. As ALPHV is written in Rust, it is unlikely that ALPHV has code similarities with other types of ransomware written in other programming languages.
ALPHV had a strong start to its operations. In Q1 2022, Digital Shadows (now ReliaQuest) observed 582 organizations falling victim to ransomware double-extortion attacks. ALPHV accounted for 10.6% of all incidents during the quarter, making it one of the top 5 most active gangs during the quarter. If ALPHV continues this level of activity, it is likely that the group will become a big name in the ransomware threat landscape, like Conti, LockBit, and REvil.
Digital Shadows (now ReliaQuest) monitors ransomware groups like ALPHV on a daily basis, providing indicators of compromise (IoCs), a daily feed of victims, techniques and associations with the group, and an intuitive breakdown of targeting by sectors and geographies. You can sign up for our SearchLight platform to stay up-to-date with ransomware threats like ALPHV. Digital Shadows (now ReliaQuest) monitors more than 30 active ransomware data-leak sites, and this number is expected to continue growing. Our previous blog article Tracking Ransomware Within SearchLight shows you how SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) tracks emerging variants, enables you to export and block associated malicious indicators in various formats, instantly analyze popular targets, and map to your security controls with ease.