Unravelling AlphV (BlackCat) Ransomware - A Comprehensive Analysis

Introduction

In recent times, ransomware attacks have become one of the most significant threats to cybersecurity. As part of our continuous commitment to monitoring and mitigating these threats, the Bridewell CTI team closely follows the work of other security researchers in the industry. Recently, our team came across an insightful report published by Mandiant on the AlphV ransomware. Impressed by their findings, we decided to conduct a further analysis of the infrastructure behind the ransomware to provide our audience with a wider range of indicators.

Mandiant's AlphV Ransomware Report

Mandiant's report (which you can find here) dives into the details of the AlphV ransomware targeting old vulnerabilities for initial access. The report highlights the ransomware's tactics, techniques, and procedures (TTPs), as well as some of the unique features that set it apart from other ransomware strains.

Building on Mandiant's Findings

At Bridewell CTI, we were intrigued by Mandiant's research and felt there was more to uncover about the infrastructure behind the AlphV ransomware. Our team conducted an in-depth analysis, focusing on the domains utilised, the deployment of Meterpreter and Metasploit, and the command and control (C2) servers.

Key Findings

Domains Utilised

We identified a number of domains associated with the AlphV ransomware campaign. These domains are often used for hosting the malware payloads and facilitating communication between the infected systems and the attackers. By mapping these domains, we were able to provide valuable insight into the infrastructure supporting the ransomware.

Based on the additional analysis conducted by Bridewell, 29 new domains linked to AlphV have been identified. The group has taken additional Operational Security (OpSec) measures to hide the backend infrastructure linked to these domains. When analysing them, we can see that the DNS records point to Cloudflare:

Figure 1. VT result from C2 domain pointing to Cloud Fare

However, pivoting from a server provided in the Mandiant report, we can identify the backend infrastructure, exclusively hosted on the UAB Cherry Servers ISP. Below is the matching domain with the backend server: 

Figure 2. Shodan result for C2 server

Bridewell has identified a number of these IPs to be associated with IcedID malware which is deployed by a number of Initial Access brokers and threat actors such as those deploying Emotet and using IcedID as a follow on payload:

Interesting observations made by Bridewell

In September 2022, public reports by security researchers identify that the AlphV and Quantum ransomware groups are utilising Emotet infections to deploy their payloads.

Additionally, in November 2022, Proofpoint released a report highlighting that Emotet pushes a new variant of IcedID called IcedID Lite, which focuses solely on facilitating ransomware groups (removing banking and host collection functionality).

Based on this reporting and information gathered during our research, it is assessed by Bridewell that the AlphV ransomware group are likely purchasing initial access gained by IcedID deployed via Emotet or Initial Access Brokers to initiate their intrusions.

Meterpreter and Metasploit Deployment

Our analysis revealed that the threat actors behind the AlphV ransomware leveraged the Meterpreter and Metasploit frameworks for compromising victim systems. These powerful tools provide the attackers with a wide range of capabilities, allowing them to efficiently maintain control over the infected machines and carry out their malicious activities.

Pivoting from the Mandiant report, Bridewell were able to identify additional infrastructure linked to AlphV. Taking IP 45.61.138[.]109, Bridewell leveraged the historical records from Shodan to identify a previously open port on 8080 which presented a fingerprint known to be associated with Meterpreter by Bridewell.

Figure 4. IOC from Mandiant Report with historical fingerprint for Meterpreter

Based on this fingerprint, Bridewell identified 99 Meterpreter C2 results in Shodan for currently active servers in the wild:

Figure 5. Global distribution of Metasploit C2 and hosting providers

Mitigating the AlphV Ransomware

Based on our research and Mandiant's findings, we recommend the following steps to help protect against the AlphV ransomware:

1. Action the identified Indicators of Compromise (IoCs), such as malicious domains and IP addresses to prevent communication with the attackers' infrastructure.
2. Maintain regular backups of critical data and ensure that they are stored offline.
3. Keep all software up-to-date and apply security patches promptly.
4. Implement a robust incident response plan to minimise damage in case of a breach.

Conclusion

The AlphV ransomware is a sophisticated and potent threat that can have devastating consequences for its victims. By building on Mandiant's findings, Bridewell CTI's analysis provides a more comprehensive understanding of the infrastructure behind this malware. We hope that our research will help organisations take proactive measures to protect themselves from such threats and contribute to the broader cybersecurity community's efforts in combating ransomware.

Annex A

C2 Domains:

all-app-inc[.]com

allautotechnow[.]com

allcompanygroup[.]com

allincservices[.]com

allllcgroup[.]com

alllocalcompany[.]com

allonlinebusinessservices[.]com

auto-tech-llc[.]com

bestonlinebusinessgroup[.]com

getautoappnow[.]com

getautotechnow[.]com

gethighappinc[.]com

gethightechinc[.]com

my-online-company[.]com

myonlinecompanysolutions[.]com

one-business-group[.]com

online-company-group[.]com

online-company-solutions[.]com

onlinecoservices[.]com

onlinecousa[.]com

the-online-company[.]com

theonlinecoinc[.]com

theonlinecompanyinc[.]com

webcloudmanageonline[.]com

your-llc[.]com

yourcompanystudio[.]com

yourcosolutions[.]com

yourincstudio[.]com

youronlinebusinessshop[.]com

Cherry Server IPs:

5[.]199[.]162[.]99

5[.]199[.]173[.]3

5[.]199[.]174[.]178

5[.]199[.]162[.]216

5[.]199[.]173[.]9

5[.]199[.]169[.]239

5[.]199[.]161[.]65

5[.]199[.]173[.]41

5[.]199[.]174[.]175

5[.]199[.]173[.]20

5[.]199[.]168[.]81

5[.]199[.]169[.]234

5[.]199[.]161[.]48

5[.]199[.]173[.]24

5[.]199[.]161[.]18

5[.]199[.]168[.]171

5[.]199[.]169[.]193

5[.]199[.]169[.]251

5[.]199[.]169[.]209

5[.]199[.]173[.]8

5[.]199[.]161[.]88

5[.]199[.]162[.]241

5[.]199[.]169[.]254

5[.]199[.]162[.]145

5[.]199[.]174[.]176

5[.]199[.]162[.]166

5[.]199[.]162[.]165

5[.]199[.]168[.]107

5[.]199[.]168[.]216

5[.]199[.]169[.]224

5[.]199[.]169[.]242

5[.]199[.]162[.]149

5[.]199[.]168[.]213

5[.]199[.]173[.]40

5[.]199[.]161[.]67

Generic Meterpreter IPs:

3[.]20[.]143[.]240

101[.]33[.]248[.]33

118[.]193[.]36[.]116

146[.]190[.]92[.]159

128[.]199[.]99[.]111

24[.]137[.]215[.]168

20[.]62[.]176[.]30

167[.]172[.]92[.]124

43[.]242[.]213[.]182

192[.]81[.]128[.]146

125[.]124[.]138[.]141

3[.]83[.]39[.]238

23[.]94[.]131[.]51

107[.]191[.]61[.]199

2[.]56[.]10[.]15

66[.]152[.]160[.]97

20[.]246[.]81[.]83

101[.]34[.]90[.]47

116[.]204[.]211[.]130

176[.]58[.]110[.]151

107[.]148[.]131[.]222

150[.]158[.]142[.]12

195[.]238[.]126[.]224

103[.]234[.]72[.]170

175[.]178[.]213[.]24

20[.]81[.]187[.]27

24[.]199[.]90[.]224

157[.]245[.]40[.]62

23[.]23[.]172[.]96

167[.]99[.]154[.]113

103[.]96[.]129[.]116

185[.]159[.]130[.]125

193[.]169[.]245[.]120

185[.]73[.]124[.]154

85[.]10[.]138[.]222

146[.]190[.]98[.]97

152[.]136[.]130[.]140

8[.]219[.]128[.]144

72[.]142[.]102[.]168

82[.]156[.]55[.]208

47[.]94[.]137[.]101

104[.]233[.]162[.]169

146[.]190[.]107[.]14

134[.]195[.]91[.]199

158[.]247[.]236[.]239

74[.]119[.]194[.]239

159[.]223[.]81[.]217

81[.]68[.]247[.]107

42[.]192[.]59[.]199

13[.]77[.]104[.]147

116[.]205[.]244[.]33

43[.]143[.]230[.]92

18[.]116[.]77[.]125

1[.]117[.]183[.]85

89[.]1[.]88[.]251

206[.]188[.]197[.]227

209[.]97[.]172[.]32

43[.]143[.]114[.]30

183[.]134[.]99[.]183

103[.]244[.]148[.]36

89[.]1[.]88[.]253

93[.]95[.]224[.]189

149[.]127[.]215[.]86

47[.]92[.]243[.]108

158[.]247[.]196[.]148

202[.]79[.]171[.]27

5[.]34[.]177[.]25

43[.]138[.]47[.]22

194[.]33[.]39[.]89

154[.]40[.]46[.]31

185[.]67[.]204[.]98

81[.]68[.]152[.]129

45[.]56[.]162[.]71

141[.]95[.]139[.]226

74[.]234[.]95[.]8

45[.]82[.]79[.]48

212[.]118[.]8[.]147

193[.]124[.]33[.]251

195[.]128[.]248[.]10

192[.]30[.]242[.]155

45[.]79[.]144[.]196

47[.]96[.]190[.]247

118[.]193[.]78[.]234

81[.]68[.]91[.]194

43[.]139[.]146[.]77

20[.]238[.]43[.]254

81[.]19[.]136[.]238

194[.]49[.]94[.]165

50[.]255[.]107[.]170

185[.]14[.]28[.]134

141[.]164[.]49[.]54

172[.]104[.]33[.]31

89[.]1[.]88[.]250

175[.]178[.]153[.]101

139[.]155[.]90[.]81

185[.]223[.]235[.]122

206[.]25[.]68[.]46

Register for instant alerts to Bridewell threat advisories or to speak with a member of our Cyber Threat Intelligence team.