ALPHV/BlackCat ransomware group has listed US-based business Air Comm Corporation and Singaporean company Fu Yu Corporation as victims on their leaks site. The note for Air Comm comes with the briefing of the data and a deadline, while the Fu Yu update has none.
“We have many information from u inner systems,” said the one-line note on Fu Yu Corporation. No deadline is given for ransom payment.
ALPHV #ransomware group added 2 new victims to their leaks page.
— FalconFeedsio (@FalconFeedsio) January 13, 2023
ALPHV/BlackCat, Air Comm, and Fu Yu
Air Comm Corporation is a US-based aviation and aerospace business that makes vapor-cycle air conditioners and bleed-air heaters. American private equity firm Arcline Investment Management acquired the company for $250 million in July 2021.
Fu Yu Corporation is a Singapore-based business that manufactures and supplies engineered plastic products and components for sectors such as information technology. The company is publicly traded on the Singapore stock exchange.
ALPHV/BlackCat claims that they have about 1TB of data including personnel and client information and “code of their projects”.
“We give you one week to say us to stop public your data,” added the note posted on December 12 .
ALPHV/BlackCat: mode of operation
Spotted first in November 2021, the ALPHV/BlackCat ransomware group has firmly established its credentials as a threat group. Cybersecurity researchers have also traced possible links with other threat actors such as DarkSide, REvil, BlackMatter, and the Conti spin-offs.
There is a very interesting new Rust coded ransomware (first ITW?), BlackCat.
Another one used to encrypt companies' networks.
Already seen some victims from different countries, from the second half of past November.
Also look at that UI. Back to '80s?
😂@demonslay335 @VK_Intel pic.twitter.com/YttzWWUD3c
— MalwareHunterTeam (@malwrhunterteam) December 8, 2021
Written in Rust, this ransomware news strain requires an access token to run, and allows for additional parameters to be specified.
It comes with an encrypted configuration that includes a list of targeted services/processes, whitelisted directories/files/file extensions, and stolen credentials from the infected device.
The malware deletes all Volume Shadow Copies, escalates privileges using the CMSTPLUA COM interface, and enables symbolic links for remote access on the infected machine.
According to an FBI Flash alert in in April 2022, the group was responsible for or involved in attacks on 60 organizations in March 2022 alone.