ACSC warns of RUST-powered ransomware surge

Ransomware BlackCat ALPHV

The Australian Cyber Security Centre (ACSC) has observed an increase in BlackCat/ALPHV operative ransomware attacks globally this year, warning that Australian organisations, including government and critical infrastructure operators as well as energy, finance, and construction businesses, have already been attacked and remain in their crosshairs.

As of March 2022, BlackCat/ALPHV Ransomware-as-a-Service (RaaS) had compromised at least 60 entities worldwide, according to the Federal Bureau of Investigations (FBI), which issued a similar alert for US-based organisations.

The success of the ALPHV ransomware appears to be due to its use of the RUST programming language, “considered to be a more secure… and offer improved performance and reliable concurrent processing”, according to the FBI.

BlackCat is reportedly the first ransomware group to successfully breach organisations using RUST.

Like similar ransomware campaigns, once a system is infected, the ALPHV program restricts access to enterprise files and systems by encrypting them in a locked and unusable format, the ACSC said. RaaS affiliates can then execute multiple extortion techniques, forcing organisations to pay up before releasing their data.

ALPHV was first detected in late 2021 as a RaaS affiliate program associated with Russian-speaking cybercrime actors.

The operators of ALPHV reportedly sought to recruit former members of the BlackMatter, DarkSide and REvil groups, and some similarities have been identified between the tactics, techniques and procedures (TTPs) of both ALPHV and BlackMatter ransomware actors, according to the ACSC.

ALPHV had successfully deployed ransomware to target networks worldwide, including in Australia, where the ACSC said it was aware of multiple Australian victims.

ALPHV ransomware used a range of initial access vectors to gain access to target networks, including:

  • Exploiting known vulnerabilities or common security misconfigurations.
  • Using legitimate credentials purchased, brute-forced or gained in phishing attacks, including credentials for Remote Desktop Protocol (RDP) connections and commercial Virtual Private Network (VPN) products.

The ASCS advised against paying any ransoms and, instead, encouraged targeted organisations to report cybercrime and cybersecurity incidents.

According to the FBI, BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero. However, they have also accepted ransom payments below the initial ransom demand amount.

Ransomware-as-a-Service or RaaS – which operates in a similar fashion to a legitimate Software-as-a-Service offering – enables criminals, known as ransomware ‘affiliates’, to pay ransomware operators and developers to launch ransomware attacks on chosen targets.