Attackers in Profile: menuPass and ALPHV/BlackCat

The structural complexities of menuPass/APT10 Umbrella points to one of the basic challenges of threat intelligence: threat actors are not always tidily defined or homogenous.

ALPHV/BlackCat brings its own wrinkles to the puzzle. Sometimes it is regarded as a Rust-based ransomware available as a service and sometimes it’s referred to as the threat actor group responsible for producing and overseeing that as-as-service offering.

MITRE Engenuity clearly puts ALPHV/BlackCat in that latter bucket, explaining, “A ransomware-as-a-service operation, ALPHV/BlackCat emerged in 2021, targeting various industries with a flexible ransomware strain capable of cross-platform attacks on Windows, Linux, and VMware systems.”

MITRE Engenuity borrowed “signature behaviors” from both menuPass and ALPHV/BlackCat to mount a “multi-subsidiary compromise with overlapping operations focusing on defense evasion, exploiting trusted relationships, data encryption, and inhibiting system recovery.”

From menuPass, the evaluation took a mix of living-off-the-land techniques, custom, fileless malware, anti-analysis tactics, and exploitation of trusted third-party relationships for credential access. It copied ALPHV/BlackCat defense evasion techniques as well, along with data exfiltration, data encryption, data destruction, and system recovery obstruction.

Where are they now?

While the TTPs used for the MITRE Engenuity managed service evaluation are well known and documented, threat actors don’t stay frozen in time. Trend™ Research is continuing to track both menuPass and ALPHV/BlackCat.

As a state-sponsored cyber espionage group, menuPass (APT10 Umbrella) is constantly shifting targets based on whatever nation state is paying them. Its goals are generally the same: brokerage of information, and theft of personally identifying information and related activities. In 2018 it was reported that members of the group had been indicted, but the group itself has since resurfaced, creating a splash during the pandemic with apparent (unsuccessful) intrusions against Indian vaccine makers and then playing a role in the A41APT multi-industry data theft campaign.

Because menuPass has so many subgroups and splinters, it’s imprecise to attribute any specific campaign to the umbrella entity, or to consider any single motive, toolset, or TTP to be definitively identifying.

The ALPHV/BlackCat group that ‘inspired’ the MITRE Engenuity attack approach for this year’s managed services evaluation is defunct, splitting up in an internal fight over the ransom paid by Change Healthcare in winter 2024. Even so, ransomware threat actor groups have a tendency to burn out, reform, and resurface since ransomware is a lucrative business.

In general, threat actors’ TTPs are becoming increasingly similar in response to cybercrime ‘best practices’ and evolving security techniques.

Threat intelligence is critical

Defending against actors like menuPass and ALPHV/BlackCat requires a combination of advanced cybersecurity tools and leading threat intelligence. The importance of the second part of that formula can’t be understated. Knowing where a threat is coming from, what’s likely motivating it, and what the attackers’ next moves may be can all aid better, more effective decisions for tracking and mitigating threats.

Trend Micro™ Managed Detection and Response (MDR) service is built on our Trend Vision One™ platform and informed by Trend Research threat intelligence and the findings of our Trend Micro™ Zero-Day Initiative™ (ZDI). Trend Vision One provides the automated detection and response capabilities, while the understanding of threat behaviors and how to handle them comes from Trend Research.

Beyond advanced persistent threats and ransomware, other major focuses of Trend Research today include securing AI, cloud, and network threats and understanding the risk landscape overall—what it’s made of and how it’s changing. We’re committed to continuing our work to bring insight to cybersecurity to provide the most effective managed security services possible and drive the advancement of security technologies.

Next steps

For more on our Trend MDR, XDR, and other related topics, check out these additional resources:

Read More HERE