BlackCat ransomware hits Azure Storage with Sphynx encryptor

The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets' Azure cloud storage.

While investigating a recent breach, Sophos X-Ops incident responders discovered that the attackers used a new Sphynx variant with added support for using custom credentials. 

After gaining access to the Sophos Central account using a stolen One-Time Password (OTP), they disabled Tamper Protection and modified the security policies. These actions were possible after stealing the OTP from the victim's LastPass vault using the LastPass Chrome extension.

Subsequently, they encrypted the Sophos customer's systems and remote Azure cloud storage and appended the .zk09cvt extension to all locked files. In total, the ransomware operators could encrypt 39 Azure Storage accounts successfully.

They infiltrated the victim's Azure portal using a stolen Azure key that provided them access to the targeted storage accounts. The keys used in the attack were injected within the ransomware binary after being encoded using Base64.

The attackers also used multiple Remote Monitoring and Management (RMM) tools like AnyDesk, Splashtop, and Atera throughout the intrusion. 

BlackCat ransom note sample

Known initially as DarkSide, this group garnered global attention after breaching Colonial Pipeline, drawing immediate scrutiny from international law enforcement agencies.

Although they rebranded as BlackMatter in July 2021, operations were abruptly halted in November when authorities seized their servers and security firm Emsisoft developed a decryption tool exploiting a vulnerability in the ransomware.