Ransomware Profile: ALPHV

ALPHV is a ransomware variant that encrypts data on infected systems and threatens to leak stolen data if the ransom payment is not made. It is highly customizable, which enables threat actors to easily tailor an attack to the target environment. ALPHV was first observed in November 20201 and is believed to be the first active ransomware coded in the Rust programming language. 

What is ALPHV? 

ALPHV is a strain of ransomware that encrypts files using AES encryption (although the process can be overridden to use ChaCha20) and demands a large ransom for their decryption. It is the only active ransomware developed using Rust, a programming language renowned for its performance and safety. ALPHV has used Rust’s cross-platform capabilities to develop both Linux and Windows variants of the ransomware.  

ALPHV is categorized as ransomware-as-a-service (RaaS), a business model whereby the developers of the ransomware lease it to affiliates, who earn a portion of ransom payments in exchange for executing a successful attack. ALPHV offers affiliates a larger revenue share than many other RaaS operations, with affiliates earning 80% of payments up to $1.5 million, 85% of payments up to $3 million and 90% of payments over $3 million. The developers of ALPHV typically recruit affiliates on Russian-speaking hacking forums.  

To amplify the impact of an attack, ALPHV uses data exfiltration to put further pressure on victims and increase their chances of a payout. During an attack, threat actors extract large amounts of data from the compromised system and threaten to publish it on the ALPHV leak site unless the victim pays the ransom.  

ALPHV is one of a handful of ransomware groups that also threatens to DDoS victims that fail to pay the ransom. ALPHV allegedly uses its own botnet to manually perform the DDoS attacks. The group frames DDoS as an exclusive feature of sorts, available only to affiliates who have generated more than $1.5 million in ransom payments. 

The history of ALPHV 

ALPHV was first detected in November 2021 and quickly claimed dozens of victims in the first few months of operation.  

It is likely that ALPHV is a rebrand of a ransomware group known as BlackMatter, which was itself a rebrand of a group known as Darkside. It’s believed that these rebranding efforts may be an attempt by threat actors to distance themselves from  a costly development blunder that allowed Emsisoft to create a free Blackmatter decryption tool. 

Cybersecurity researchers originally named the ransomware ‘BlackCat’ after the image of an inky feline that was depicted on every victim’s Tor payment site. However, in February 2021, a representative of the group confirmed that its only official name is ALPHV. 

Since ALPHV was first discovered, there have been 194 submissions to ID Ransomware, an online tool that helps the victims of ransomware identify which ransomware has encrypted their files. We estimate that only 25 percent of victims make a submission to ID Ransomware, which means there may have been a total of 776 ALPHV incidents since the ransomware’s inception. During this time, the group also published on its leak site the stolen data of at least 40 organizations. 

ALPHV ransom note  

After the ransomware has been deployed and the encryption process is complete, ALPHV drops a ransom note on the infected system. The ransom note is named after the apparently random file extension that ALPHV appends to all encrypted files, and uses the following naming format: ‘RECOVER-[RANDOM EXTENSION]-FILES.txt’. 

The ransom note informs the target that their files have been encrypted and includes a link to a .onion site where the victim can make payment. The note also includes examples of the type of data that was stolen during the attack, along with threats that the data will be published if the victim refuses to cooperate.  

Below is a sample ALPHV ransom note: 

>> Introduction 

Important files on your system was ENCRYPTED and now they have “[REDACTED]” extension. 

In order to recover your files you need to follow instructions below. 

>> Sensitive Data 

Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. 

Data includes: 

[REDACTED] 

– And more… 

Private preview is published here: [REDACTED] 

>> CAUTION 

DO NOT MODIFY FILES YOURSELF. 

DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. 

YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. 

YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. 

>> Recovery procedure 

Follow these simple steps to get in touch and recover your data: 

1) Download and install Tor Browser from: https://torproject.org/ 

2) Navigate to: [REDACTED] 

Who does ALPHV target? 

ALPHV tends to target large organizations with the resources and motivation to pay large ransom demands. It is capable of infecting both Windows and Linux systems.  

ALPHV prohibits attacks on nations belonging to the Commonwealth of Independent States (CIS), which includes Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine.  

The group also prohibits attacks on government, healthcare and educational institutions. If an entity belonging to one of these sectors is attacked, ALPHV claims that it will provide free decryption and ban the offending affiliate. 

As always, any claims made by cybercrime groups should be taken with a grain of salt. ALPHV has already published stolen data from at least one victim in the healthcare sector (the group has stated that its rules around avoiding the healthcare sector do not apply to pharmaceutical companies and private clinics). Additionally, even if the group does provide free decryption to an impacted entity, the recovery process may still take days, weeks or months to complete. This level of disruption can have a significant impact on patient health.  

How does ALPHV spread? 

ALPHV attacks begin by breaching the target network. Affiliates can use a variety of methods to infect the target system, including compromised RDP, phishing attacks, stolen credentials and exploiting known vulnerabilities.  

Once the system has been compromised, attackers may use a variety of tools to prepare the environment for encryption and maximize the impact of the attack. Tools such as Mimikatz, LaZagne and WebBrowserPassView are used to access saved passwords, which enable threat actors to escalate privileges and spread laterally across the network. MEGAsync is often used to exfiltrate data, while anti-forensics tools like File Shredder are sometimes used to securely delete files and thwart analysis. PowerShell is often used to modify Windows Defender security settings and shadow volume copies are deleted prior to encryption to prevent organisations from restoring encrypted files.  

ALPHV requires a specific access token for the ransomware to execute properly. The access token acts as a unique key, which is used to verify the identification of the victim and must be provided when accessing the ALPHV .onion payment site. The access token prevents third-parties (such as ransomware researchers) gatecrashing what is supposed to be a private negotiation between victim and attacker. 

As ALPHV operates as a RaaS and can be distributed by many different affiliates, the exact anatomy of an attack can vary from incident to incident.  

Major ALPHV attacks 

How to protect the network from ALPHV and other ransomware   

The following practices may help organizations reduce the risk of an ALPHV incident. 

How to remove ALPHV and other ransomware     

ALPHV uses encryption methods that currently make it impossible to decrypt data without paying for an attacker-supplied decryption tool. 

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Victims of ALPHV should be prepared to restore their systems from backups, using processes that should be defined in the organization’s incident response plan. The following actions are recommended: 

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next