Response to the Revised CISA Advisory (AA23-353A): #StopRansomware: ALPHV BlackCat – Source: securityboulevard.com

On February 27, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) notified the revision of the Cybersecurity Advisory (AA23-353A) which detailed additional Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) identified through FBI investigations as recently as February 2024.

This CSA is part of CISA’s ongoing #StopRansomware effort to arm defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors.

AttackIQ has previously responded to this alert in December 2023 with a full-scale Attack Graph that emulates the several Tactics, Techniques, and Procedures (TTPs) associated with an intrusion chain that culminated with the deployment of Blackcat ransomware.

AttackIQ has released an update to the BlackCat ransomware emulation released in May 2022, with the aim of helping customers validate their security controls and their ability to defend against this relentless threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against baseline behaviors observed associated to the BlackCat ransomware.
• Assess their security posture against an opportunistic adversary, which does not discriminate when it comes to selecting its targets.
• Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on ransomware activities.

[Malware Emulation] ALPHV/BlackCat Ransomware

This Attack Graph seeks to emulate the sequence of behavior associated with the deployment of BlackCat on a compromised system, intending to provide customers with opportunities to prevent and/or detect a compromise in progress.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Process Injection (T1055): This scenario injects a DLL file into another running process and validates if a canary file can be created.

Windows Management Instrumentation (WMI) (T1047): WMI is a native Windows administration feature that provides a method for accessing Windows system components. This scenario will collect the Windows Universally Unique Identifier (UUID) by executing the csproduct get UUID command.

Modify Registry (T1112): The HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters MaxMpxCt registry value is modified to change the number of network requests that the Server Service can perform.

Inhibit System Recovery (T1490): This scenario uses vssadmin.exe and WMI Objects to delete a recent Volume Shadow Copy created by the emulation.

Indicator Removal: Clear Windows Event Logs (T1070.001): The scenario will use the wevtutil.exe binary to clear event logs from the system.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using the same encryption algorithms observed in BlackCat ransomware.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations to adapt them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. Process Injection (T1055):

Malware will commonly inject malicious code into legitimate running processes to attempt to blend in with legitimate applications to remain hidden and appear normal to the compromised system.

2a. Detection

Searching for common processes that are performing uncommon actions can help identify when a process has been compromised.

2b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

3. Inhibit System Recovery (T1490):

Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.

3a. Detection

Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity

Process Name == (cmd.exe OR powershell.exe)


Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery

Wrap-up

In summary, this updated attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the recent activities carried out by BlackCat ransomware operators. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.