Estimate reading time: 5 to 6 minutes.
The world of ransomware is constantly in flux as cybercriminals adapt their techniques to overcome defenses and achieve maximum impact. The notorious ransomware collective ALPHV/BlackCat, formerly recognized as NOBERUS, has recently introduced an upgraded version of their Ransomware as a Service (RaaS), "Sphynx".
On February 21st, 2023, VX-underground reported a significant development: the ALPHV ransomware group had rolled out an update for their affiliates, unveiling a new ransomware variant named Sphynx. This new variant brings advancements in encryption speed and stealthiness, as highlighted in an April report by user X on Twitter.
February 21st, 2023, ALPHV ransomware group informed their affiliates of a new 'product' update.
Their new ransomware variant is named Sphynx. pic.twitter.com/zIIpEvTwfP
— vx-underground (@vxunderground) April 20, 2023
Notably, Microsoft Threat Intelligence has identified the deployment of an upgraded variant of the BlackCat ransomware in ongoing operations. This new version integrates Impacket, an open-source communication framework tool employed by malicious actors to bolster lateral movement within their targeted systems.
The operators of BlackCat conveyed their satisfaction with the progress, stating, "We are pleased to inform you that testing of basic features ALPHV/BlackCat 2.0: Sphynx is completed," in a message addressed to their affiliates.
ALPHV/BlackCat, a key player within the ransomware sphere, has undergone a significant metamorphosis. The group has completely overhauled its RaaS offering in response to the evolving cybersecurity landscape. This strategic adaptation aims to counter sophisticated defenses and rival threat actors. The Sphynx ransomware was discovered by cybersecurity experts at Vx underground, who stumbled upon a communication from BlackCat to its affiliates unveiling this noteworthy product update.
The Sphynx ransomware boasts enhanced features designed to heighten its efficacy while evading detection. Among these enhancements is integrating open-source tools such as Impacket and RemCom. These tools are pivotal in executing remote operations and lateral movements within the targeted victim's infrastructure. The enhancements serve dual purposes: firstly, prolonging the duration during which the ransomware remains hidden from antimalware and endpoint detection and response (EDR) systems, and secondly, optimizing the encryption process for swift and efficient data lockdown.
Initially limited to established affiliates, the Sphynx ransomware gradually extends its availability to newer participants. Microsoft's Security Intelligence team observed the deployment of this new version during a campaign in July 2023 involving an affiliate identified as "storm-0875." This observation underscores this ransomware variant's growing influence and increasing prevalence within the threat landscape.
ALPHV/BlackCat affiliates have demonstrated adaptability by adopting innovative infection strategies to propagate ransomware. Employing malvertising as a vector, they promote tampered versions of commonly used IT tools, enticing unsuspecting victims and perpetuating the infection cycle. This tactic underscores the group's sophistication and emphasizes the necessity for heightened caution when interacting with seemingly legitimate software.
Given ALPHV/BlackCat's history as a formidable player in the ransomware arena, the emergence of the Sphynx ransomware version amplifies the risk for organizations. To mitigate these threats effectively, the following recommendations are recommended:
The emergence of the Sphynx ransomware by ALPHV/BlackCat underscores the dynamic and evolving landscape of ransomware threats. With its advanced features, innovative infection strategies, and increasing affiliate engagement, this new iteration poses a significant risk to organizations worldwide.
To ensure robust defense against ransomware attacks and safeguard critical data and operational continuity, businesses must implement recommended security measures.
Stay ahead of emerging cyber threats by staying informed and vigilant.
Explore our Cyber Threat Intelligence page for valuable insights into the latest threat landscapes and practical strategies to protect your digital assets: Visit our Cyber Threat Intelligence page