ArcSight Use Case on BlackCat/ALPHV Ransomware

As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing. BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments as initial ransom demand amount.

The purpose of this document is to provide information and capture any such communications by alerting using ArcSight ESM. So, the use cases are applicable to any infrastructure which has Microsoft implementation which involves Active Directory, Group Policy Object deployment and environment which leverage PowerShell Scripts

The ARB package can be downloaded from the link below.