Last Week in Ransomware: 09.25.23

Written by
Halcyon Team
Published on
Sep 25, 2023

Last week in ransomware news: Ransomware on Pace for Second Most Profitable Year, BlackCat/ALPHV Variant Targets Azure Storage, Why Attribution is a Major Pain in the Ass, and more...

BlackCat/ALPHV - Stealing OTPs and Targeting Azure Cloud Storage

Our journey begins with the notorious BlackCat/ALPHV ransomware gang, who've recently added a new twist to their arsenal. They've been observed harvesting One-Time Passwords (OTPs) to bypass security tools, allowing them to deploy the advanced Sphynx variant.  

These cybercriminals managed to infiltrate Sophos Central accounts using stolen OTPs, disabling Tamper Protection and altering security policies.

To make matters worse, they accessed victims' Azure portals using stolen Azure keys, granting them entry to targeted storage accounts. What's intriguing is that they encoded these keys using Base64 before injecting them into the ransomware binary.

BlackCat/ALPHV's Sphynx variant is a testament to the ever-evolving landscape of ransomware. It boasts enhanced evasion capabilities, capable of disabling security tools and evading analysis.  

Sphynx stands out as one of the most advanced ransomware families, equipped with multiple encryption routines, advanced self-propagation, and the ability to thwart hypervisors for obfuscation.

This ransomware threat isn't limited to a single operating system; it can impact systems running Windows, VMWare ESXi, and various Linux distributions, including Debian, ReadyNAS, Ubuntu, and Synology. Read More Here...

Ransomware's Growing Profit and Evolving Tactics

The Department of Homeland Security's 2024 Homeland Threat Assessment report paints a grim picture. Ransomware operators are predicted to have their second most profitable year, with an estimated $449.1 million extorted in the first half of 2023 alone.  

Big game hunting, targeting large organizations, and continued attacks on smaller entities are driving this surge.

The cost to victims is expected to skyrocket, reaching $265 billion annually by 2031. The rapid growth of ransomware attacks has made them a top global concern, affecting organizations across all industries. Read More Here...

Attribution FTW?

One of the most significant hurdles in combating ransomware is attribution. Attackers employ a range of tactics to avoid detection and tracing.  

They use Tor and VPNs to hide their IP addresses, compromise third-party infrastructure for attacks, demand ransoms in cryptocurrencies for anonymity, employ advanced encryption, and use polymorphic malware that changes with each infection.

Attribution becomes an intricate puzzle, often with misleading clues, making it challenging for organizations and law enforcement to identify the culprits. Read More Here...

Cyber Insurance Claims on the Rise

As ransomware attacks continue to surge, cyber insurance claims have followed suit. The first six months of 2023 saw a 12% spike in claims related to ransomware attacks. Organizations with over $100 million in revenue saw a 20% increase in claims and a staggering 72% increase in claim severity compared to the second half of 2022.

The average ransom demand has surged to $1.62 million, a 44% increase over the previous six months and a 74% increase over the past year. The complex nature of ransomware attacks makes it challenging for insurers to provide effective coverage. Read More Here...

The Takeaway

The ransomware threat landscape is evolving at an alarming rate, outpacing the capabilities of traditional security tools. With attackers continuously innovating, organizations must adopt a proactive approach to cybersecurity. Patching vulnerabilities, especially those targeting older bugs, is crucial.

However, it's not just about patching but also understanding the "how" and "why" of attacks. Focusing on ingress and data exfiltration, along with a robust response plan, can help organizations better quantify and mitigate risks.

In this ongoing battle, organizations must be prepared to invest the necessary resources to neutralize the ever-present ransomware threat. The stakes are high, and the divide between attackers and defenders is vast. It's a race against time, but with the right strategies and investments, we can tip the scales in our favor.

The rise of ransomware is a stark reminder that the digital realm is fraught with dangers. Cybercriminals are becoming increasingly sophisticated, leaving organizations vulnerable to devastating attacks.  

By understanding the evolving tactics of ransomware gangs, the challenges of attribution, and the growing impact on cyber insurance, we can better equip ourselves to confront this relentless threat. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile (PDF), and check out the Recent Ransomware Attacks resource site.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started
3 is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow to store and process the personal information submitted above to provide you the content requested.