I think there's an issue with my storage device, but I'm not sure Start a free evaluation →
I need help getting my data back right now Call now (800) 972-3282
Alphv is ransomware written in the Rust programming language to encrypt the victim’s data. It is a Ransomware-as-a-Service (RaaS) which means that each cybercriminal group will use different extension files and rename encrypted data differently. The same goes for the ransom note whose contents will depend on the hacker gang.
The ransomware is distributed by the Russian ransomware gang BlackCat. As of March 2022, at least 60 organizations and businesses worldwide were infected by Alphv ransomware.
What kind of malware is Alphv?
Alphv, also known as BlackCat, is ransomware – a type of malware that encrypts and locks the victims’ files and then requests a ransom in exchange for the decryption key. It also exfiltrates victims’ data and threatens to leak it in a tactic known as double extortion.
Alphv ransomware is Ransomware-as-a-Service (RaaS) that has global affiliates. Besides the threats, the BlackCat ransomware can also lead to DDoS attacks, which will prevent users from accessing their servers by overloading them with multiple requests.
You can recognize the Alphv through a few symptoms and signs on your computer or network.
As soon as you realize you are a victim of a cyber attack, contact local authorities immediately.
- ALPHV (BlackCat) virus
- Crypto Virus
- Files locker
Encrypted Files Extension
- Depends on the variant
Ransom Demanding Message
- GET IT BACK-[file_extension]-FILES.txt
Is There a Free Decryptor Available?
- No, there’s no public decryption key for Alphv
Windows Detection Names
- Avast Win32:RansomX-gen [Ransom]
- BitDefender Gen:Variant.Barys.331754
- Emsisoft Gen:Variant.Barys.331754 (B)
- Kaspersky Trojan-Ransom.Win32.BlackCat.bn
- Microsoft Ransom:Win32/BlackCat.A
- Sophos Mal/Blackcat-A
Linux Detection Names
- Avast ELF:Filecoder-DP [Trj]
- BitDefender Generic.Ransom.ESXiArgs.D.E70D3AE7
- Sophos Linux/Ransm-U
- Cannot open files stored on your computer
- New file extensions
- A ransom demand message on your desktop
Ransomware family, type & variant
- ALPHV ransomware family
- RaaS type
- BlackCat ransomware, Alphv, AlphaVM, Noberus, Coreid, FIN7, Carbon Spider
- Infected email attachments (phishing emails)
- Torrent websites (infected links or files)
- Malicious ads (malvertising)
- Locked files
- Stolen passwords
- Data breach
- Antivirus and anti-malware
- Updated software
- Updated operating system (OS)
- Don’t open an email attachment from an unknown source
- Do not download files from suspicious websites
- Don’t click on ads unless you’re sure it’s safe
- Only access websites from trustworthy sources
How did Alphv infect your computer
The main way BlackCat ransomware can infect your computer and network is via spam and phishing emails. Clicking on one link or downloading the malicious attachment will install the ransomware exploit kit on the machine.
Spam email campaigns are phishing email attacks where hackers use social engineering to deceive victims into clicking malicious links or attachments. After that, the exploit kit is downloaded into the machine and the threat actors can trigger ransomware at any moment. These emails can be targeted when hackers intend to access a specific business or can be non-targeted phishing when they send a mass malware spam campaign.
After that, Alphv will spread through the network servers using lateral movement. Therefore, cybersecurity tools and protocols such as educating employees on good practices to increase security awareness and implementing software to block malicious communications can help prevent BlackCat attacks.
Alphv encryption and ransom note
The Alphv ransom note content will vary depending on the attacker group. Generally, it states that not only is data stolen and encrypted but it also warns that if victims do not pay the ransom, the attacker group will publish the data on the darknet (on a Tor website).
The text also instructs to contact the attackers using the provided websites and a personal ID.
After being hit by Alphv ransomware, you can see a letter as a text file on your desktop. This is an example of its content:
How does Alphv ransomware work
BlackCat ransomware is written in Rust and is very adaptable. They target several industries, although their main victims are healthcare businesses, such as pharmaceutics enterprises.
They will enter your network via unpatched Exchange and compromised credentials. After that, the ransomware will follow 4 steps during the encryption and data leak:
- Lateral movement
- Collection and exfiltration
- Encryption and ransom
Cyber attackers will explore the system’s vulnerabilities to gain access to the environment. Then, Alphv ransomware operators use discovery commands to learn about the organization they compromised.
You can prevent ransomware by eliminating your system’s vulnerabilities. To do so you can keep all software updated and create cybersecurity awareness by training your team on cyber threats.
2. Lateral movement
A few days later after infecting the computer and network, Alphv starts stealing credentials using techniques to prevent detection by the antivirus software.
It moves through the network via remote desktop protocol (RDP). The attackers will explore the network for days, accessing each device connected to it, gathering information, and determining what devices they could access
3. Collection and exfiltration
At this point, attackers will extract data such as domain settings and information, and intellectual property.
These are used for extortion as the group threatens to leak information on intellectual property. Since they are gathering data during days from many devices and folders, they collect large amounts of data that they can use for double extortion.
4. Encryption and ransom
The final step is the encryption and the ransom note. Therefore, Alphv works day in silence on enterprise networks using mainly vulnerabilities caused by compromised credentials. These are a result of the remote work model that started during the pandemic.
However, you can protect your system without having to make employees back to the office using cybersecurity services and tools.
Prevent Alphv ransomware attacks
By making sure your network is secured you can avoid Alphv attacks. Since BlackCat is very aggressive, only by taking cybersecurity solutions you can avoid it. However, these measures are not flawless and the attackers can manage their way into your business’s network. That’s why having updated backups is so important: this will ensure your data safety.
1. Use updated antivirus and anti-malware and firewall
By using updated security software you can guarantee that they have the necessary data to block new forms of attacks, such as Alphv variants.
Make sure to also have a firewall to block any unauthorized access. Add blockers to emails and to your network to prevent phishing and to make sure any information is transferred outside the network
2. Apply multi-factor authentication
You can use two-factor authentication or biometric unlock to ensure that only authorized people have access to folders, devices, or accounts.
3. Use cybersecurity solutions
Cybersecurity solutions include security software, such as antiviruses, but also measures like training employees on the importance of following cybersecurity best practices.
Internal threats are as important to prevent as external threats. And not always an employee has the intention to damage the business. Most of the time an unaware mistake can lead to a ransomware attack.
4. Schedule regular backups
Keep at least three copies of your data, having at least one stored offline and off-site. This can guarantee that, even if you’re hit by a disaster, being natural or human-made (like ransomware), your data is always safe.
Regular backups can prevent downtimes and ensure you never lose any sensitive data.
5. Have a recovery plan in hand
Despite every preventive action you take to protect your business data, a disaster can still hit it.
Make sure you have a disaster recovery plan to keep business continuity and prevent downtime, even if an Alphv (BlackCat) ransomware attack happens.
See how to create a data recovery plan with our in-depth guide.
How to recover from the Alphv attack
The first step to recover from the Alphv attack is to isolate the infected computer by disconnecting from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).
To report a ransomware attack you must gather every information you can about it, including:
- Screenshots of the ransom note
- Communications with Alphv actors (if you have them)
- Sample of an encrypted file
You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. Is using the data on your infected system so that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.
After isolating the device and contacting authorities, you must follow the next steps to retrieve your data:
1. Contact your Incident Response Retainer
A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively in the event of a cyber incident.
An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. The specific nature and structure of an incident response retainer will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.
2. Identify the ransomware infection
You can check which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), or it will be on the ransom note. With this information, you can look for a public decryption key. However, Alphv doesn’t have it yet.
3. Remove the ransomware and eliminate exploit kits
Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.
4. Use a backup to restore the data
Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.
5. Contact a ransomware recovery service
If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, you should contact a data recovery service.
Do not pay the ransom. Paying the ransom has serious consequences such as sanctions, besides having the ethical issue of financing criminal activity. Contact responsible authorities (in the US it will be the FBI) and then work with a ransomware data recovery service.
SalvageData experts can safely restore your files and guarantee Alphv ransomware does not attack your network again. Contact our experts 24/7 for emergency recovery service or find a recovery center near you.