ALPHV Ransomware

Over the years we have encountered many high-profile ransomware projects that rarely go after regular users. In most cases, these high-tech file-lockers aim to infect the networks of companies and enterprises that would be willing to pay hundreds of thousands of dollars to recover their data. This is the case of the ALPHV Ransomware, also known as BlackCat. This malware, first seen in November 2021, appears to be one of the most prominent file-lockers of 2021.

Under ALPHV Ransomware's Hood

For starters, the project is written in the Rust programming language, which is currently gaining popularity among malware developers. One of the reasons why they prefer to use Rust is because it tends to be more efficient in terms of performance, and is also more difficult to analyze and dissect.

The ALPHV Ransomware or BlackCat Ransomware appears to be the creation of Russian hackers who are already promoting it on Russian-speaking hacking forums. It seems that they are planning to work with affiliates who will get to use the ransomware, while keeping a percent of the ransom fees.

The ALPHV Ransomware does not run automatically like most payloads of this sort. Instead, it needs to be operated by a human with access to the infected device – either physical or remote. The command-line interface enables the attacker to choose between different encryption techniques, as well as the ability to execute additional destructive tasks. Some of the highlights of ALPHV Ransomware's features are its ability to wipe out ESXi snapshots and virtual machine copies. All payloads of the ALPHV Ransomware are paired with a JSON configuration file, which could be edited to modify the attack's scope, file formats it targets, and processes or services to terminate.

Even without sophisticated configuration, the ALPHV Ransomware will make sure to terminate a wide range of apps and services that could prevent the payload from encrypting files. After the attack is completed, victims are presented with a ransom note whose contents are editable via the JSON configuration file mentioned above. Typically, it uses the name 'RECOVEQR-<FILE EXTENSION>-FILES.txt.'

What do the Criminals Want?

The criminals may demand a varying ransom fee, but judging by the quality of the malware, it is unlikely that ALPHV Ransomware's operators are looking for small payments. They are more likely to demand millions of dollars via a cryptocurrency transfer.

The ALPHV Ransomware operators accept payments via Monero and Bitcoin. It also appears that users who opt to pay for Bitcoin may need to pay 15% more than the original ransom amount – the reason for this is unknown. So far, researchers have identified victims of the ALPHV Ransomware in India, Australia, and USA – this confirms the threat's global reach.

Last but not least, the ransomware attackers threaten to leak the victim's files online if they do not agree to pay. They also use an additional extortion technique by threatening to DDoS the victim's network if a ransom fee is not paid – a novel approach when talking of ransomware attacks.