18 September 2023

Black Cat actors encrypt Azure accounts with new Sphynx ransomware


Black Cat actors encrypt Azure accounts with new Sphynx ransomware

The BlackCat (ALPHV) ransomware group has been observed using compromised Microsoft accounts and the new Sphynx ransomware variant to take over Azure Storage accounts.

First spotted earlier this year, the Sphynx variant embeds the Impacket networking framework and the Remcom hacking tool, both facilitating lateral movement in compromised networks. The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments. Microsoft said it first discovered this new version in July 2023.

While investigating a recent breach, Sophos X-Ops researchers discovered that the attacker used an updated Sphynx version. The threat actor was able to gain access to the targeted Azure portal using a stolen Azure access key.

The attackers used a variety of remote monitoring and management tools such as AnyDesk, Splashtop, and Atera, as well as Chrome to access the target's installed LastPass vault via the browser extension. They obtained a one-time password for accessing the target's Sophos Central account used to manage Sophos products.

The threat actor then altered security policies and disabled Tamper Protection within Central before encrypting the victim’s systems and remote Azure Storage accounts via ransomware.

Sophos said that 39 Azure accounts in total were successfully encrypted by the attackers.

Last week, the BlackCat ransomware group took responsibility for the MGM Resort hack. The group said that they encrypted more than 100 ESXi servers after MGM Resorts took down its internal infrastructure, as well as exfiltrated data from the network. The gang also said they maintain access to some of the company’s infrastructure and are threatening to carry out new attacks unless a ransom is paid.


Back to the list

Latest Posts

Critical Aviatrix Controller flaw exploited to install backdoors and cryptominers

Critical Aviatrix Controller flaw exploited to install backdoors and cryptominers

The vulnerability allows attackers to escalate privileges and gain full control of cloud resources.
13 January 2025
Over 4K active hacker backdoors found in expiring or abandoned domains

Over 4K active hacker backdoors found in expiring or abandoned domains

Several of the web shells had been backdoored by their original maintainers, leaking critical information.
13 January 2025
Microsoft takes legal action against hackers exploiting AI for malicious purposes

Microsoft takes legal action against hackers exploiting AI for malicious purposes

The group accessed generative AI services and manipulated the system to produce harmful content.
13 January 2025