Notice

This brief trends report on the Deep Web & Dark Web in February 2024 covers ransomware, forums, black markets, and threat actors. Note that some of the content may not be verifiable.

 

Major issues
 

1)  Ransomwares

 

(1) ALPHV/BlackCat
 

In late February, the U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warned that U.S. hospitals could be targeted by the ALPHV/BlackCat (“BlackCat”) ransomware attack.[1] This advisory was issued in mid-December after law enforcement agencies seized and shut down the DLSs (dedicated leak sites) of the BlackCat ransomware gang. The infrastructure of the gang—which had been shut down by law enforcement agencies—was revived and activities resumed, subsequently encouraging affiliates to target medical institutions.

In addition to medical institutions, on February 16, the gang posted as a victim on its DLS Prudential Financial, a well-known U.S. Fortune Global 500 financial services company with subsidiaries offering a wide range of products and services, including insurance, retirement planning, and investment management. Earlier, on February 12, Prudential Financial had filed a “FORM 8-K” report (which discloses the occurrence of a significant event that may affect the investment judgment of the company’s investors) with U.S. stock exchanges regarding its victimization in the cybersecurity incident. The following is an excerpt:[2]

Figure 1 FORM 8-K Report to the United States Securities and Exchange Commission 

 

On February 5, 2024, Prudential Financial, Inc. (the “Company” or “we”) detected that, beginning February 4, 2024, a threat actor had gained unauthorized access to certain of our systems. With assistance from external cybersecurity experts, we immediately activated our cybersecurity incident response process to investigate, contain, and remediate the incident. As of the date of this report, we believe that the threat actor, who we suspect to be a cybercrime group, accessed Company administrative and user data from certain information technology systems and a small percentage of Company user accounts associated with employees and contractors. We continue to investigate the extent of the incident, including whether the threat actor accessed any additional information or systems, to determine the impact of the incident. On the basis of the investigation to date, we do not have any evidence that the threat actor has taken customer or client data. We have reported this matter to relevant law enforcement and are informing regulatory authorities. As of the date of this Report, the incident has not had a material impact on the Company’s operations, and the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.

[Table 1] Partial content of the 8-K report submitted by Prudential Financial, Inc.

The BlackCat ransomware gang posted Prudential Financial as a victim on its DLS, but no evidence of data leaks was posted. The gang sent emails to senior executives (C-level) of the affected company criticizing the United States government and insurance companies and claiming that they still have access to the Prudential network and can leak data.

Figure 2 – Prudential Financial, Inc. posted as a victim on the BlackCat DLS 

ALPHV (BlackCat) was first recognized in November 2021 and is said to be a rebrand of the DarkSide and BlackMatter ransomware gangs. It is also known to be the first to develop ransomware written in the Rust language and to operate on a RaaS (ransomware-as-a-service) model, receiving a percentage of the ransom from its affiliates. It uses a double or triple extortion tactic by encrypting the data of the victim and posting on its DLS the demand for ransom.

 The DLS of the gang was inaccessible for about 10 days beginning on December 14, 2023, but has since resumed activity, with the reason for the inaccessibility attributed to a law enforcement agency. This phenomenon has been replicated in early March at the time of writing this document, with the new DLS being inaccessible and a banner screen showing that it was seized and closed by law enforcement agencies just like the old DLS. At the time of inaccessibility to the new DLS, there was a lot of speculation as to whether it was an issue with the hosting company’s system, preparation for a second operation by law enforcement agencies, rebranding, or an exit scam by an operator who only wanted to collect the ransom and not pay the profits to its affiliates.

Separately from this case, the U.S. Department of State is offering a reward of up to USD 10 million for information leading to the identification of the international organized crime group operating the ALPHV (BlackCat) ransomware—or identification of key leadership positions—as well as a reward of up to USD 5 million for information leading to the arrest and conviction of individuals engaging or attempting to engage in ALPHV/Blackcat ransomware behavior.[3]
 

---

[1] https://www.cisa.gov/news-events/alerts/2024/02/27/cisa-fbi-and-hhs-release-update-stopransomware-advisory-alphv-blackcat

[2] https://www.sec.gov/Archives/edgar/data/1137774/000119312524033753/d770643d8k.htm

[3] https://www.bleepingcomputer.com/news/security/us-offers-up-to-15-million-for-tips-on-alphv-ransomware-gang/

 

SHA2

396a2f2dd09c936e93d250e8467ac7a9c0a923ea7f9a395e63c375b877a399a6