StopRansomware: ALPHV Blackcat

    Wednesday, August 7, 2024 In: Threat Research Print

    Date: 08/07/2024

    Severity: High

    Summary

    “ALPHV BlackCat" is a cybersecurity advisory focused on the ALPHV (also known as BlackCat) ransomware strain. The advisory provides information on the tactics, techniques, and procedures (TTPs) used by this ransomware group. ALPHV/BlackCat is known for its sophisticated encryption methods and its use of double extortion tactics, where it not only encrypts data but also threatens to release stolen information. The advisory aims to help organizations recognize, prevent, and respond to attacks involving this ransomware by detailing its indicators of compromise (IOCs) and offering recommendations for mitigation.

    Indicators of Compromise (IOC) List

    URL/Domain

    resources.docusong.com

    instance-rbjvws-relay.screenconnect.com

    instance-qqemas-relay.screenconnect.com

    pcrendal.com

    Fisa99.screenconnect.com

    IP Address

    45.32.141.168

    185.195.59.218

    5.199.168.233

    45.77.0.92

    91.92.254.193

    5.199.168.24

    92.223.89.55

    Hash

    ebca4398e949286cb7f7f6c68c28e838

c04c386b945ccc04627d1a885b500edf

430bd437162d4c60227288fa6a82cde8a5f87100

1376ac8b5a126bb163423948bd1c7f861b4bfe32

5d1df950b238825a36fa6204d1a2935a5fbcfe2a5991a7fc69c74f476df67905

bd9edc3bf3d45e3cdf5236e8f8cd57a95ca3b41f61e4cd5c6c0404a83519058e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "resources.docusong.com" or url like "resources.docusong.com" or userdomainname like "instance-rbjvws-relay.screenconnect.com" or url like "instance-rbjvws-relay.screenconnect.com" or userdomainname like "instance-qqemas-relay.screenconnect.com" or url like "instance-qqemas-relay.screenconnect.com" or userdomainname like "pcrendal.com" or url like "pcrendal.com" or userdomainname like "Fisa99.screenconnect.com" or url like "Fisa99.screenconnect.com"

    IP Address

    dstipaddress IN ("45.32.141.168","185.195.59.218","5.199.168.233","45.77.0.92","91.92.254.193","5.199.168.24","92.223.89.55") or ipaddress IN ("45.32.141.168","185.195.59.218","5.199.168.233","45.77.0.92","91.92.254.193","5.199.168.24","92.223.89.55") or publicipaddress IN ("45.32.141.168","185.195.59.218","5.199.168.233","45.77.0.92","91.92.254.193","5.199.168.24","92.223.89.55") or srcipaddress IN ("45.32.141.168","185.195.59.218","5.199.168.233","45.77.0.92","91.92.254.193","5.199.168.24","92.223.89.55")

    Hash

    md5hash IN ("ebca4398e949286cb7f7f6c68c28e838","c04c386b945ccc04627d1a885b500edf")

sha1hash IN ("430bd437162d4c60227288fa6a82cde8a5f87100","1376ac8b5a126bb163423948bd1c7f861b4bfe32")

sha256hash IN ("5d1df950b238825a36fa6204d1a2935a5fbcfe2a5991a7fc69c74f476df67905","bd9edc3bf3d45e3cdf5236e8f8cd57a95ca3b41f61e4cd5c6c0404a83519058e")

    Reference: 

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a

     

     


    Tags

    CISARansomwareMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.