{
	"id": "eb3f6370-0840-414f-9a37-bbc1110d370b",
	"created_at": "2026-04-06T00:08:37.464019Z",
	"updated_at": "2026-04-10T03:31:50.006414Z",
	"deleted_at": null,
	"sha1_hash": "9dcce4aceeb560dfb50bfe1ea27ab0b790a53cc9",
	"title": "BlackCat ransomware hits Azure Storage with Sphynx encryptor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3189052,
	"plain_text": "BlackCat ransomware hits Azure Storage with Sphynx encryptor\r\nBy Sergiu Gatlan\r\nPublished: 2023-09-16 · Archived: 2026-04-05 20:49:18 UTC\r\nImage: Midjourney\r\nThe BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to\r\nencrypt targets' Azure cloud storage.\r\nWhile investigating a recent breach, Sophos X-Ops incident responders discovered that the attackers used a new Sphynx\r\nvariant with added support for using custom credentials. \r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-hits-azure-storage-with-sphynx-encryptor/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-hits-azure-storage-with-sphynx-encryptor/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nAfter gaining access to the Sophos Central account using a stolen One-Time Password (OTP), they disabled Tamper\r\nProtection and modified the security policies. These actions were possible after stealing the OTP from the victim's LastPass\r\nvault using the LastPass Chrome extension.\r\nSubsequently, they encrypted the Sophos customer's systems and remote Azure cloud storage and appended the .zk09cvt\r\nextension to all locked files. In total, the ransomware operators could encrypt 39 Azure Storage accounts successfully.\r\nThey infiltrated the victim's Azure portal using a stolen Azure key that provided them access to the targeted storage\r\naccounts. The keys used in the attack were injected within the ransomware binary after being encoded using Base64.\r\nThe attackers also used multiple Remote Monitoring and Management (RMM) tools like AnyDesk, Splashtop, and Atera\r\nthroughout the intrusion. \r\nSophos discovered the Sphynx variant in March 2023 during an investigation into a data breach that shared similarities with\r\nanother attack described in an IBM-Xforce report published in May (the ExMatter tool was used to extract the stolen data in\r\nboth instances).\r\nMicrosoft also found last month that the new Sphynx encryptor is embedding the Remcom hacking tool and the Impacket\r\nnetworking framework for lateral movement across compromised networks.\r\nBlackCat ransom note sample\r\nAs a ransomware operation that emerged in November 2021, BlackCat/ALPHV is suspected to be a DarkSide/BlackMatter\r\nrebrand.\r\nKnown initially as DarkSide, this group garnered global attention after breaching Colonial Pipeline, drawing immediate\r\nscrutiny from international law enforcement agencies.\r\nAlthough they rebranded as BlackMatter in July 2021, operations were abruptly halted in November when authorities seized\r\ntheir servers and security firm Emsisoft developed a decryption tool exploiting a vulnerability in the ransomware.\r\nThis gang has consistently been recognized as one of the most sophisticated and high-profile ransomware outfits that targets\r\nenterprises on a global scale, continuously adapting and refining its tactics.\r\nFor instance, in a new extortion approach last summer, the ransomware gang used a dedicated clear web website to leak the\r\nstolen data of a specific victim, providing the victim's customers and employees with the means to determine whether their\r\ndata had been exposed.\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-hits-azure-storage-with-sphynx-encryptor/\r\nPage 3 of 4\n\nMore recently, BlackCat introduced a data leak API in July designed to streamline the dissemination of stolen data.\r\nThis week, one of the gang's affiliates gang (tracked as Scattered Spider) claimed the attack on MGM Resorts, saying\r\nthey encrypted over 100 ESXi hypervisors after the company took down its internal infrastructure and refused to negotiate a\r\nransom payment. \r\nLast April, the FBI issued a warning highlighting that the group was behind the successful breaches of more than 60 entities\r\nworldwide between November 2021 and March 2022.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/blackcat-ransomware-hits-azure-storage-with-sphynx-encryptor/\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-hits-azure-storage-with-sphynx-encryptor/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/blackcat-ransomware-hits-azure-storage-with-sphynx-encryptor/"
	],
	"report_names": [
		"blackcat-ransomware-hits-azure-storage-with-sphynx-encryptor"
	],
	"threat_actors": [
		{
			"id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8",
			"created_at": "2023-06-23T02:04:34.386651Z",
			"updated_at": "2026-04-10T02:00:04.772256Z",
			"deleted_at": null,
			"main_name": "Muddled Libra",
			"aliases": [
				"0ktapus",
				"Scatter Swine",
				"Scattered Spider"
			],
			"source_name": "ETDA:Muddled Libra",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c",
			"created_at": "2023-11-01T02:01:06.643737Z",
			"updated_at": "2026-04-10T02:00:05.340198Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"Scattered Spider",
				"Roasted 0ktapus",
				"Octo Tempest",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "MITRE:Scattered Spider",
			"tools": [
				"WarzoneRAT",
				"Rclone",
				"LaZagne",
				"Mimikatz",
				"Raccoon Stealer",
				"ngrok",
				"BlackCat",
				"ConnectWise"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0",
			"created_at": "2023-10-03T02:00:08.510742Z",
			"updated_at": "2026-04-10T02:00:03.374705Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"UNC3944",
				"Scattered Swine",
				"Octo Tempest",
				"DEV-0971",
				"Starfraud",
				"Muddled Libra",
				"Oktapus",
				"Scatter Swine",
				"0ktapus",
				"Storm-0971"
			],
			"source_name": "MISPGALAXY:Scattered Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9",
			"created_at": "2023-10-14T02:03:13.99057Z",
			"updated_at": "2026-04-10T02:00:04.531987Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"0ktapus",
				"LUCR-3",
				"Muddled Libra",
				"Octo Tempest",
				"Scatter Swine",
				"Scattered Spider",
				"Star Fraud",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "ETDA:Scattered Spider",
			"tools": [
				"ADRecon",
				"AnyDesk",
				"ConnectWise",
				"DCSync",
				"FiveTran",
				"FleetDeck",
				"Govmomi",
				"Hekatomb",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"Lumma Stealer",
				"LummaC2",
				"Mimikatz",
				"Ngrok",
				"PingCastle",
				"ProcDump",
				"PsExec",
				"Pulseway",
				"Pure Storage FlashArray",
				"Pure Storage FlashArray PowerShell SDK",
				"RedLine Stealer",
				"Rsocx",
				"RustDesk",
				"ScreenConnect",
				"SharpHound",
				"Socat",
				"Spidey Bot",
				"Splashtop",
				"Stealc",
				"TacticalRMM",
				"Tailscale",
				"TightVNC",
				"VIDAR",
				"Vidar Stealer",
				"WinRAR",
				"WsTunnel",
				"gosecretsdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824",
			"created_at": "2024-06-19T02:03:08.062614Z",
			"updated_at": "2026-04-10T02:00:03.655475Z",
			"deleted_at": null,
			"main_name": "GOLD HARVEST",
			"aliases": [
				"Octo Tempest ",
				"Roasted 0ktapus ",
				"Scatter Swine ",
				"Scattered Spider ",
				"UNC3944 "
			],
			"source_name": "Secureworks:GOLD HARVEST",
			"tools": [
				"AnyDesk",
				"ConnectWise Control",
				"Logmein"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434117,
	"ts_updated_at": 1775791910,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9dcce4aceeb560dfb50bfe1ea27ab0b790a53cc9.pdf",
		"text": "https://archive.orkl.eu/9dcce4aceeb560dfb50bfe1ea27ab0b790a53cc9.txt",
		"img": "https://archive.orkl.eu/9dcce4aceeb560dfb50bfe1ea27ab0b790a53cc9.jpg"
	}
}