ALPHV recently claimed responsibility for a cybersecurity incident targeting Canada's Trans-Northern Pipelines.
What is ALPHV?
ALPHV recently claimed responsibility for a cybersecurity incident targeting Canada's Trans-Northern Pipelines. Various industry news sources, including The Register, recently reported on this activity.
ALPHV/BlackCat ransomware as a service (RaaS), thought to be the first ransomware family written in Rust, was first observed in late 2021. It includes a highly customizable feature set allowing for attacks on a wide range of targets. The malware has evolved over time. Being RaaS, ALPHV is used by various threat actors to compromise both targets of opportunity and specific entities.
The threat actors behind ALPHV are a financially motivated threat actor group known for ransomware operations. Industry researchers have speculated the group’s members are likely based in the UK or Europe. The group is known for multiple ransomware variants with similar codes, including ALPHV, BlackCat, Sphynx, and Noberus.
ALPHV is known to target multiple verticals, including construction, engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunications, auto components, healthcare, pharmaceuticals, gambling, and critical infrastructure.
ALPHV is proficient in social engineering tactics and human-operated ransomware attacks. The group has been effective in marketing to its affiliates, and affiliates receive a generous share of ransom payments.
Threat actors behind ALPHV are known to use double and triple extortion tactics, charging a ransom to decrypt files and threatening to disclose files or engage in DDoS attacks if the ransom is not paid. They are also known to be ruthless in their pursuit of ransom payments. In November 2023, the group compromised the software company MeridianLink and followed up on the attack by filing a U.S. Securities and Exchange Commission complaint against the victim for not complying with the SEC’s four-day cyberattack disclosure rule.
The Trans-Northern Pipelines Incident
Trans-Northern Pipelines is an oil and gas (ONG) entity that operates a large expanse of pipelines in Ontario and Quebec, as well as Alberta. The pipelines transport refined petroleum products, including gasoline, diesel fuel, aviation fuel, and heating fuel. Trans-Northern Pipelines confirmed they experienced a cybersecurity incident in November 2023. ALPHV threat actors reportedly stole around 190 GB of data and threatened to leak the data if Trans-Northern Pipelines did not pay the ransom. As of writing, some of the files have already been leaked.
The attack on Trans-Northern Pipelines has been compared to the 2021 ransomware attack on US based Colonial Pipeline. The Colonial Pipeline attack resulted in the pipeline being temporarily shut off, which resulted in fuel shortages on the US East Coast. DarkSide ransomware group was responsible for the Colonial Pipeline attack. It is interesting to note that ALPHV is linked to BlackMatter, which industry researchers previously assessed to be the rebrand of DarkSide. While ALPHV, sometimes referred to as BlackCat, is not a rebrand of BlackMatter, the groups are thought to be closely linked and may have common affiliates.
ALPHV has targeted multiple critical infrastructure entities in recent months. They claimed responsibility for a cyber incident affecting Lower Valley Energy, a US-based utility cooperative, in December 2023. ALPHV claimed responsibility for an attack on SerCide, a Spanish electricity provider, which also occurred in late 2023. ALPHV also recently ransomed Rush Energy Services, a Canadian company that specializes in crude oil custom treating and water management facilities.
Implications
Cyber threats pose a significant risk to the energy vertical, which encompasses various sectors such as oil and gas, electricity, renewable energy, utilities, and related critical infrastructure entities. In 2023, industry researchers reported on the rise of ransomware attacks targeting energy sector entities, including those in the nuclear and oil & gas subsectors.
Ransomware attacks on critical infrastructure entities are particularly dangerous, as they can potentially sabotage operations by locking down critical systems. These attacks can disrupt the functioning of energy grids, leading to power outages, service disruptions, and even physical damage.
Another threat ransomware poses to the energy sector is the theft of sensitive data and intellectual property. Energy companies often possess valuable information related to exploration, production, and distribution of resources. Cybercriminals may target these organizations to gain access to proprietary data, including geological surveys, engineering designs, and trade secrets. A threat actor selling or leaking this information can have far-reaching consequences, compromising a company's competitive edge, disrupting operations, and resulting in financial losses.
PolySwarm Tracks ALPHV Activity
PolySwarm is actively tracking ALPHV ransomware. PolySwarm first noted ALPHV activity in our 2021 Year in Review report. We predicted ALPHV (BlackCat) ransomware would become more prevalent due to its sophistication.
ALPHV was included in our 2023 Malware to Watch, predicting that the group would continue to expand its operations in 2023 due to its versatility and profitable affiliate model. This prediction proved fruitful.
ALPHV was featured in our 2023 Recap - Malware Hall of Fame due to its growing popularity and tendency to be used to compromise high-value targets, including MGM Grand, in 2023.
We again named ALPHV as a force to be reckoned with in our 2023 Recap - Cyber Threats to the Energy Vertical, due to the group’s attacks on multiple energy vertical entities, including Mammoth Energy, Creos Luxembourg, and Encino Energy in 2023.
In PolySwarm's 2024 Malware to Watch, we noted that while law enforcement apparently seized ALPHV’s darknet site in December 2023, the group reportedly unseized it shortly thereafter. At that time, ALPHV removed all rules from its affiliate program, no longer forbidding affiliates to target critical infrastructure entities. Based on those developments, our analysts predicted an increase in the number of critical infrastructure entities targeted by ALPHV ransomware.
ALPHV IOCs
A selection of our most recent ALPHV samples are provided below.
c1ff927c596b4f8993bd90c3797b2356a14d29b187e7259f8483af57cfce1087
91eb89d81458ff2d14ddb0e1d3fb103f19be85b19d5af2546bcad6f192aca2c4
00360830bf5886288f23784b8df82804bf6f22258e410740db481df8a7701525
4caa8a01959797e5dd057fa0eaaf5984c0620a2f20c1e746a8da8b6f58edbb7b
7889264c917d5f8fa62284bc8ce79978e78ff309fea883f68a690b9ef20381ff
a7244ee40e46f6edce8e5e498ebcdfa1895dcdc0b118e185295fe6cfecdc0f32
cce520d3cea0a07cf5530cc8ed4002e6305e1df67810637f6b5bf56cbc392beb
4055913adfd41d436b35e7a74ef8852c53ce76f41bbb9a7fe372f07b6fac9421
ef5afb6044a1a89a43981de072b831640d8fb1b78f5807dee0b6f408f5e8e189
c359417d82a31d61a035db05ca945f493151ec5762616d2c819df081f774f405
bf48cc4243a7df38b2adc44b4d461b30f44d73b055cc13bf7623cae68defc531
78482a39564bd5503cd1d32cf8976fdd4fe2b9feba112e283af2e31ed5f21b87
6df64a0a921bd65006968d7eb146f7ceb60ffc1345575d39edec0eded41eb4fe
f09d27156cd59bb0d24f28dfa008b7b9f60b0578a8d5cc7807bb021b29735dda
a5f7c01ccfc69d1c4e1c14a5e8219cdcc020d08b1eccb340061e3dccf3a40bfe
You can use the following CLI command to search for all ALPHV samples in our portal:
$ polyswarm link list -f ALPHV
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.