ALPHV/BlackCat does not even think of losing ground and is constantly improving its malicious tools.
The group of hackers behind the BlackCat ransomware recently unveiled an improved variant of their malware that prioritizes speed and stealth in order to bypass defense mechanisms and achieve their goals.
The new version, called Sphynx, was announced in February 2023 and contains "a number of updated features that help avoid detection," according to a new analysis by IBM Security X-Force.
The hacker product update was first noted by VX-Underground in April 2023. And Trend Micro last month detailed a Linux version of Sphynx that "focuses primarily on the encryption process."
The ALPHV/BlackCat group, also known as Noberus, developed the first ransomware based on the Rust language. Active since November 2021, it has grown into a significant threat, with over 350 targets affected as of May 2023.
The group is also known to use a double extortion scheme by deploying special data stealing tools such as ExMatter to exfiltrate sensitive data before encryption.
ALPHV/BlackCat hackers gain primary access to targeted networks, usually through third-party actors called Initial Access Brokers (IABs), who use their own malware to steal legitimate credentials.
The latest version of Sphynx by ALPHV/BlackCat contains junk code and encrypted strings, and reworks the command line arguments passed to the binary. All to avoid detection.
Sphynx also includes a separate downloader for decrypting the ransomware payload, which, when executed, looks for additional networks to compromise. In general, the malware follows a standard pattern: it deletes backup copies of data on target devices, encrypts files, and leaves a ransom note.
Despite law enforcement campaigns targeting ALPHV/BlackCat activity directly, the constant shift in tactics is proof that the group remains an active threat to organizations and has no intention of ceasing to engage in malicious activity.
Just today, we wrote about the recent results of a study by WithSecure, which discovered a kind of delegation of duties between hacker groups, which allows more destructive attacks to be carried out much faster and more efficiently than one group would deal with the entire attack chain.
As you can see, even such a large and well-known group of extortionists does not hesitate to share profits with other attackers, constantly resorting to the services of primary access brokers.