Alphv (BlackCat) Ransomware: How to Prevent & Recover

Alphv is ransomware written in the Rust programming language to encrypt the victim’s data. It is Ransomware-as-a-Service (RaaS), which means that each cybercriminal group will use different extension files and rename encrypted data differently. The same goes for the ransom note, whose contents will depend on the hacker gang. The ransomware is distributed by the Russian ransomware gang BlackCat. As of March 2022, at least 60 organizations and businesses worldwide were infected by Alphv ransomware.

Prudential Insurance disclosed a February 2024 cyberattack compromising the data of 36,000 individuals, prompting an investigation into unauthorized network access. While the company engaged a cybersecurity firm and notified law enforcement, it has not confirmed if the incident involved ransomware. This breach is part of a series attributed to the AlphV ransomware gang, including a notable attack on Change Healthcare, where reports suggest a $22 million ransom payment.

Recently, the Alphv (BlackCat) ransomware gang has been embroiled in a significant exit scam. As reported by The Hacker News, after the payment receipt, ALPHV operators allegedly shut down their affiliates’ accounts. They fabricated a fake seizure notice on their leak site, marking a sophisticated attempt to deceive affiliates and authorities.

Despite claims of a law enforcement takedown, agencies like the U.S. Justice Department, Europol, and the U.K.’s National Crime Agency denied involvement. However, the US Justice Department offered 500 of the Alphv victims worldwide a free decryptor. The Department also offers a reward for any information on ALPHV BlackCat-linked cyber actors targeting U.S. critical infrastructure.

This elaborate scheme has drawn the attention of cybersecurity experts, who highlight the unprecedented use of a fake seizure notice in an exit scam. The incident underscores the evolving tactics employed by ransomware operators to evade detection and maximize illicit gains. Despite the scam’s success, experts anticipate the group’s eventual return under a new guise or brand after a temporary hiatus. As law enforcement agencies continue to investigate the incident, the case is a stark reminder of the persistent threat of ransomware and the ongoing efforts to combat cybercriminal activities in the digital landscape.

What kind of malware is Alphv?

Alphv, also known as BlackCat, is ransomware – a type of malware that encrypts and locks the victims’ files and then requests a ransom in exchange for the decryption key. It also exfiltrates victims’ data and threatens to leak it in a tactic known as double extortion.

Alphv ransomware is Ransomware-as-a-Service (RaaS) that has global affiliates. Besides the threats, the BlackCat ransomware can also lead to DDoS attacks, which will prevent users from accessing their servers by overloading them with multiple requests.

Alphv overviews

You can recognize the Alphv through a few symptoms and signs on your computer or network.

As soon as you realize you are a victim of a cyber attack, contact local authorities immediately.

Confirmed Name

• ALPHV (BlackCat) virus

Threat Type

• Ransomware
• Crypto Virus
• Files locker

Encrypted Files Extension

• Depends on the variant

Ransom Demanding Message

• GET IT BACK-[file_extension]-FILES.txt

Is There a Free Decryptor Available?

• FBI offers free decryptors for over 500 victims of ALPHV/BlackCat worldwide and disrupts the ransomware TOR website.

Windows Detection Names

• Avast Win32:RansomX-gen [Ransom]
• BitDefender Gen:Variant.Barys.331754
• Emsisoft Gen:Variant.Barys.331754 (B)
• Kaspersky Trojan-Ransom.Win32.BlackCat.bn
• Microsoft Ransom:Win32/BlackCat.A
• Sophos Mal/Blackcat-A

Linux Detection Names

• Avast ELF:Filecoder-DP [Trj]
• BitDefender Generic.Ransom.ESXiArgs.D.E70D3AE7
• Sophos Linux/Ransm-U

Symptoms

• Cannot open files stored on your computer
• New file extensions
• A ransom demand message on your desktop

Ransomware family, type & variant

• ALPHV ransomware family
• RaaS type
• BlackCat ransomware, Alphv, AlphaVM, Noberus, Coreid, FIN7, Carbon Spider

Distribution methods

• Infected email attachments (phishing emails)
• Torrent websites (infected links or files)
• Malicious ads (malvertising)

Consequences

• Locked files
• Stolen passwords
• Data breach
• DDoS

Prevention

• Antivirus and anti-malware
• Updated software
• Updated operating system (OS)
• Firewalls
• Don’t open an email attachment from an unknown source
• Do not download files from suspicious websites
• Don’t click on ads unless you’re sure it’s safe
• Only access websites from trustworthy sources

How did Alphv infect your computer

The main way BlackCat ransomware can infect your computer and network is via spam and phishing emails. Clicking on one link or downloading the malicious attachment will install the ransomware exploit kit on the machine.

Spam email campaigns are phishing email attacks where hackers use social engineering to deceive victims into clicking malicious links or attachments. After that, the exploit kit is downloaded into the machine and the threat actors can trigger ransomware at any moment. These emails can be targeted when hackers intend to access a specific business or can be non-targeted phishing when they send a mass malware spam campaign.

After that, Alphv will spread through the network servers using lateral movement. Therefore, cybersecurity tools and protocols such as educating employees on good practices to increase security awareness and implementing software to block malicious communications can help prevent BlackCat attacks.

Alphv encryption and ransom note

The Alphv ransom note content will vary depending on the attacker group. Generally, it states that not only is data stolen and encrypted but it also warns that if victims do not pay the ransom, the attacker group will publish the data on the darknet (on a Tor website).

The text also instructs to contact the attackers using the provided websites and a personal ID.

After being hit by Alphv ransomware, you can see a letter as a text file on your desktop. This is an example of its content:

Example of BlackCat ransom note (source: Microsoft)

How does Alphv ransomware work

BlackCat ransomware is written in Rust and is very adaptable. They target several industries, although their main victims are healthcare businesses, such as pharmaceutics enterprises.

They will enter your network via unpatched Exchange and compromised credentials. After that, the ransomware will follow 4 steps during the encryption and data leak:

• Discovery
• Lateral movement
• Collection and exfiltration
• Encryption and ransom

1. Discovery

Cyber attackers will explore the system’s vulnerabilities to gain access to the environment. Then, Alphv ransomware operators use discovery commands to learn about the organization they compromised.

You can prevent ransomware by eliminating your system’s vulnerabilities. To do so you can keep all software updated and create cybersecurity awareness by training your team on cyber threats.

2. Lateral movement

A few days later after infecting the computer and network, Alphv starts stealing credentials using techniques to prevent detection by the antivirus software.

It moves through the network via remote desktop protocol (RDP). The attackers will explore the network for days, accessing each device connected to it, gathering information, and determining what devices they could access

3. Collection and exfiltration

At this point, attackers will extract data such as domain settings and information, and intellectual property.

These are used for extortion as the group threatens to leak information on intellectual property. Since they are gathering data during days from many devices and folders, they collect large amounts of data that they can use for double extortion.

4. Encryption and ransom

The final step is the encryption and the ransom note. Therefore, Alphv works day in silence on enterprise networks using mainly vulnerabilities caused by compromised credentials. These are a result of the remote work model that started during the pandemic.

However, you can protect your system without having to make employees back to the office using cybersecurity services and tools.

Prevent Alphv ransomware attacks

By making sure your network is secured you can avoid Alphv attacks. Since BlackCat is very aggressive, only by taking cybersecurity solutions you can avoid it. However, these measures are not flawless and the attackers can manage their way into your business’s network. That’s why having updated backups is so important: this will ensure your data safety.

1. Use updated antivirus and anti-malware and firewall

By using updated security software you can guarantee that they have the necessary data to block new forms of attacks, such as Alphv variants.

Make sure to also have a firewall to block any unauthorized access. Add blockers to emails and to your network to prevent phishing and to make sure any information is transferred outside the network

2. Apply multi-factor authentication

You can use two-factor authentication or biometric unlock to ensure that only authorized people have access to folders, devices, or accounts.

3. Use cybersecurity solutions

Cybersecurity solutions include security software, such as antiviruses, but also measures like training employees on the importance of following cybersecurity best practices.

Internal threats are as important to prevent as external threats. And not always an employee has the intention to damage the business. Most of the time an unaware mistake can lead to a ransomware attack.

4. Schedule regular backups

Keep at least three copies of your data, having at least one stored offline and off-site. This can guarantee that, even if you’re hit by a disaster, being natural or human-made (like ransomware), your data is always safe.

Regular backups can prevent downtimes and ensure you never lose any sensitive data.

5. Have a recovery plan in hand

Despite every preventive action you take to protect your business data, a disaster can still hit it.

Make sure you have a disaster recovery plan to keep business continuity and prevent downtime, even if an Alphv (BlackCat) ransomware attack happens.

See how to create a data recovery plan with our in-depth guide.

How to recover from the Alphv attack

The first step to recover from the Alphv attack is to isolate the infected computer by disconnecting from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).

To report a ransomware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with Alphv actors (if you have them)
• Sample of an encrypted file

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. Is using the data on your infected system so that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

After isolating the device and contacting authorities, you must follow the next steps to retrieve your data:

1. Contact your Incident Response Retainer

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively in the event of a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. The specific nature and structure of an incident response retainer will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

2. Identify the ransomware infection

You can check which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), or it will be on the ransom note. With this information, you can look for a public decryption key. However, Alphv doesn’t have it yet.

3. Remove the ransomware and eliminate exploit kits

Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.

4. Use a backup to restore the data

Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.

5. Contact a ransomware recovery service

If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, you should contact a data recovery service.

Do not pay the ransom. Paying the ransom has serious consequences such as sanctions, besides having the ethical issue of financing criminal activity. Contact responsible authorities (in the US it will be the FBI) and then work with a ransomware data recovery service.

SalvageData experts can safely restore your files and guarantee Alphv ransomware does not attack your network again. Contact our experts 24/7 for emergency recovery service or find a recovery center near you.