AlphV, a notorious Russian ransomware group, has claimed responsibility for a series of cyber attacks on prominent Victorian companies. The group boasts that they have successfully infiltrated the organizations and have stolen a massive 4.95 terabytes of sensitive company data. These claims were made on the group’s dark web channel, where they also outlined their intentions to launch a campaign involving email distribution and calls to the targeted companies’ clients. The clients would be offered the option to pay a fee to have their data removed from a public leak. The group warned that if the companies refuse to negotiate, they have 72 hours before the campaign commences.
One of the companies targeted by AlphV is TissuPath, a respected pathology firm. TissuPath has confirmed that they experienced a cybersecurity incident and are currently investigating a data breach at a third-party IT supplier. The breach reportedly involves pathology referrals issued to TissuPath between 2011 and 2020. The exposed data includes sensitive information such as patient names, dates of birth, contact details, Medicare numbers, and private health insurance details. However, TissuPath assures its patients that critical databases housing patient diagnoses remained uncompromised. The company also emphasizes that it does not store financial information or other sensitive personal documents.
The Cyber Express reached out to the other companies listed as victims by AlphV, namely Strata Plan, Barry Plant Blackburn, and Tisher Liner FC Law, but as of now, no official response or statement has been received from these organizations. Interestingly, TissuPath, Strata Plan, and Barry Plant Blackburn were all clients of Core Desktop, a South Melbourne-based IT services company. Core Desktop sent a message to its patrons disclosing the date of discovery as August 22, 2023.
The AlphV ransomware gang has gained notoriety for being the first known ransomware group to code their malware in Rust, a programming language. The ransomware requires a 32-byte access token and can specify additional parameters. It is equipped with an encrypted configuration that includes a list of services and processes to be terminated, a whitelist of directories, files, and file extensions, and a register of credentials stolen from the victim’s system. The group’s modus operandi involves erasing all Volume Shadow Copies, executing privilege escalation through the CMSTPLUA COM interface, and enabling “remote to local” and “remote to remote” symbolic links on the target machine.
It is important to note that the information provided in this report is based on internal and external research obtained through various means. The Cyber Express assumes no liability for the accuracy or consequences of using this information. The situation is ongoing, and it is yet to be confirmed how the affected companies will respond to the ransomware group’s demands or mitigate the potential damage caused by the data breach.