{ "id": "0dc80c48-a822-4f40-a8c1-c329177ddc58", "created_at": "2026-04-06T00:14:23.172797Z", "updated_at": "2026-04-10T03:29:39.937258Z", "deleted_at": null, "sha1_hash": "ede7a171d8d96e4bf02144ef76697cfd941da6e3", "title": "The Anatomy of an ALPHA SPIDER Ransomware Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1287444, "plain_text": "The Anatomy of an ALPHA SPIDER Ransomware Attack\r\nBy Jean-Philippe Teissier\r\nArchived: 2026-04-05 14:17:08 UTC\r\nALPHA SPIDER is the adversary behind the development and operation of the Alphv ransomware as a\r\nservice (RaaS).\r\nOver the last year, ALPHA SPIDER affiliates have been leveraging a variety of novel techniques as part of\r\ntheir ransomware operations.\r\nCrowdStrike Services has observed techniques such as the usage of NTFS Alternate Data Streams for\r\nhiding a reverse SSH tool, exploitation of multiple vulnerabilities associated with a GNU/Linux-based\r\nappliance for initial access and privilege escalation, and bypassing DNS-based filtering and multifactor\r\nauthentication (MFA) by tampering with network configuration files.\r\nAffiliates of ALPHA SPIDER are still conducting successful ransomware operations against victims, and\r\nthis adversary remains a clear and present threat to any organization.\r\nOver the last two years, CrowdStrike Services has run several incident response (IR) engagements — in both pre-and post-ransomware situations — in which different ALPHA SPIDER affiliates demonstrated novel offensive\r\ntechniques coupled with more commonly observed techniques. The events described in this blog have been\r\nattributed to ALPHA SPIDER affiliates by CrowdStrike Counter Adversary Operations.\r\nAlphv ransomware-as-a-service, which first emerged in December 2021, is notable for being the first written in\r\nthe Rust programming language. The Alphv RaaS offers a number of features designed to attract sophisticated\r\naffiliates, including ransomware variants targeting multiple operating systems; a highly customizable variant that\r\nrebuilds itself every hour to evade antivirus tooling; a searchable database on a clear web domain and the\r\nadversary’s dedicated leak site (DLS), which enables visitors to search for leaked data; and a Bitcoin mixer\r\nintegrated to affiliate panels.\r\nMany of the Alphv affiliates CrowdStrike Counter Adversary Operations has observed have proven adept at\r\nencrypting victim virtualization infrastructure. Affiliates have used Linux variants of Cobalt Strike and SystemBC\r\nto perform reconnaissance of VMware ESXi servers prior to deploying ransomware.\r\nMore information can be found in the CrowdStrike Counter Adversary Operations profile in our Adversary\r\nUniverse: https://www.crowdstrike.com/adversaries/alpha-spider/.\r\nAdd the Adversary Universe podcast to your playlist to join our hosts as they unmask the threat actors\r\ntargeting your organization.\r\nChaining Vulnerabilities to Obtain Initial Access and Achieve Persistence\r\nIn an IR engagement perpetrated by an ALPHA SPIDER affiliate (subsequently referred to in this blog as Threat\r\nActor 1), the adversary used a combination of two software vulnerabilities to gain an initial foothold within the\r\nhttps://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\r\nPage 1 of 10\n\ntarget’s network. First, Threat Actor 1 leveraged an exploit for the vulnerability identified as CVE-2021-44529,1\r\n a\r\ncode injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) that affects the CSA Web Server\r\ncomponent and allows an unauthenticated user to execute arbitrary code with limited permission (user nobody). A\r\npatch was made available for CVE-2021-44529 before the exploit happened on December 2, 2021. Once they\r\nwere able to run code on the server, Threat Actor 1 used an exploit for the vulnerability identified as CVE-2021-\r\n40347,2 also known as PwnKit, to temporarily obtain root privileges and add a new UID 0 (“root”) account to the\r\nsystem. At this point, Threat Actor 1 installed a reverse-ssh\r\n3 executable to connect back to their server. The\r\nreverse-ssh was periodically executed by the local Cron daemon to achieve persistence on the compromised\r\nsystem.\r\nSee this blog for more information about hunting for PwnKit: Hunting pwnkit Local Privilege Escalation in Linux\r\n(CVE-2021-4034).\r\nNoisy Network Discovery and Credential Access\r\nAfter getting an initial locally privileged foothold into the target network, Threat Actor 1 in the same engagement\r\nperformed extensive network discovery activities. Threat Actor 1 downloaded Nmap, the infamous network\r\nscanning tool, plus additional Nmap scripts. Using Nmap,4 the threat actor conducted system and services\r\ndiscovery and made use of specific Nmap scripts to perform a targeted vulnerability scan of the target’s network.\r\nFollowing this scan, Threat Actor 1 attempted to use mitm6\r\n5 and responder ,6 \r\ntwo offensive security network\r\ntools, to gather additional credentials. According to their respective authors, mitm6 is a “pentesting tool that\r\nexploits the default configuration of Windows to take over the default DNS server” and responder is an\r\n“LLMNR, NBT-NS and MDNS poisoner.” Threat Actor 1 also attempted to exploit the vulnerability identified as\r\nCVE-2021-21972.7 CVE-2021-21972 is a remote code execution vulnerability in a vCenter Server plugin, which\r\na threat actor may exploit to execute commands with unrestricted privileges. Later during this attack, Threat Actor\r\n1 also installed masscan\r\n8\r\n on the compromised CSA server to perform additional network reconnaissance\r\nactivities.\r\nHunting for Veeam Credentials\r\nIn the same IR engagement, Threat Actor 1 targeted the Veeam backup utility9 after performing their initial lateral\r\nmovements. Veeam user account credentials are a target of choice for ransomware-oriented threat actors that often\r\ndelete system backups prior to executing their ransomware payload. In this particular engagement, Threat Actor 1\r\nattempted to use KoloVeeam (also known as veeamp ) over Windows Remote Management (WinRM) protocol to\r\nextract and decrypt stored credentials.\r\nhttps://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\r\nPage 2 of 10\n\nFigure 1. Example of KoloVeeam execution detected by the CrowdStrike Falcon® platform (click to enlarge)\r\nKoloVeeam is a simple tool that extracts and decrypts user credentials stored in the VeeamBackup database.\r\nhttps://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\r\nPage 3 of 10\n\nCode 1. KoloVeeam decompiled code (click to enlarge)\r\nIn this particular engagement, as Koloveeam was detected and blocked by the CrowdStrike Falcon® platform,\r\nThreat Actor 1 attempted to manually download Microsoft SQL Server Management Studio using the legitimate\r\ncertutil LOLBIN10\r\n and to decrypt stored passwords using Veeam’s own library, Veeam.Backup.Common.dll .\r\nFigure 2. Example of Falcon platform detection of Microsoft SQL Server Management Studio downloaded using\r\nthe certutil LOLBIN (click to enlarge)\r\nAfter the initial Veeam credential access techniques were blocked, Threat Actor 1 attempted to execute the\r\nfollowing code to manually decrypt previously obtained encrypted credentials. This script was originally shared\r\non Veeam R\u0026D forums.11\r\nCode 2. Veeam credential decryption PowerShell script (click to enlarge)\r\nIn a different engagement, another ALPHA SPIDER affiliate (subsequently referred to in this blog as Threat Actor\r\n2) leveraged the widely available Veeam Credential Recovery12 PowerShell script ( Veeam-Get-Creds.ps1 ) to\r\nextract user credentials from the Veeam database.\r\nHunting for Leaked Credentials\r\nIn addition to targeting Veeam, Threat Actor 1 exported the Terminal Services LocalSessionManager/Operational\r\nlogs. Threat actors may export logs like these for various reasons, such as:\r\nTo identify (privileged) user accounts usually logging in to endpoints of interest\r\nTo identify systems within the network to which the adversary may be able to move laterally\r\nhttps://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\r\nPage 4 of 10\n\nTo harvest passwords that may have been mistakenly entered into the username field\r\nCode 3. Threat actor exporting Terminal Services LocalSessionManager/Operational logs (click to enlarge)\r\nMultiple Defense Evasion Techniques\r\nHiding Persistence in NTFS Alternate Data Stream (ADS)\r\nThe NTFS file system stores data using “streams.” Files have a default unnamed stream where the contents of the\r\nfile are normally stored. Folders don’t have any default stream. Alternate data streams are additional streams that\r\ncan be added to an MFT entry. The Windows operating system uses ADSs for different purposes, with one of the\r\nmost common use cases being the Zone.Identifier ADS, also known as the Mark-of-the-Web that Windows\r\nuses to identify the network source of a file.\r\nIn two IR engagements, Threat Actor 1 deployed a reverse-ssh executable on several Windows systems in\r\nC:\\System and then hid it in a C volume root directory “.” (MFT entry 5) ADS named “ Host Process for\r\nWindows Service .” Threat Actor 1 then created a malicious service to ensure persistence for their reverse-ssh\r\ntool before deleting the executable from the initial location.\r\nCode 4. Malicious ADS and service creation command (click to enlarge)\r\nThreat Actor 1 chose a particularly interesting ADS to hide their malicious executable in, as many tools —\r\nincluding the system dir command and common PowerShell cmdlets — would not show an ADS on the root\r\nvolume, even though these commands would display ADSs on other files and directories.\r\nhttps://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\r\nPage 5 of 10\n\nFigure 3. dir /r displays ADSs on files and directories but not on the root of the volume (click to enlarge)\r\nFigure 4. PowerShell 5.1 Get-Item cmdlet displays ADSs on files but not on directories or on the root of the\r\nvolume (click to enlarge)\r\nhttps://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\r\nPage 6 of 10\n\nFigure 5. PowerShell 7.4 Get-Item cmdlet displays ADSs on files and directories but not on the root of the\r\nvolume (click to enlarge)\r\nHowever, like with other ADSs, this specific ADS creation can be hunted for in Falcon platform data by searching\r\nfor FileCreate or DirectoryCreate events containing a “:” character in the FileName field.\r\nFigure 6. Falcon platform directory ADS creation event (click to enlarge)\r\nBypassing DNS Filtering and MFA with Network Configuration Tampering\r\nIn two separate incidents, ALPHA SPIDER affiliates (Threat Actor 1 and Threat Actor 2) modified the operating\r\nsystem local name resolution configuration file to bypass security measures such as DNS-based filtering or\r\nmultifactor authentication (MFA).\r\nOn Microsoft Windows operating systems, a local name resolution configuration file is located in\r\nC:\\Windows\\System32\\Drivers\\etc\\hosts . This local configuration file is used by the system to determine the IP\r\naddress of a domain name. If an entry is present in the hosts file, the system does not perform a DNS request to\r\nhttps://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\r\nPage 7 of 10\n\nresolve the domain name. In one IR engagement, Threat Actor 1 modified the hosts file on specific systems to\r\nbypass the DNS-based network filtering in place to block access to a well-known file storage website.\r\nFigure 7. Modified Windows hosts file to bypass DNS-based filtering (click to enlarge)\r\nIn another IR engagement, Threat Actor 2 modified the hosts file to deactivate the MFA and single sign-on\r\n(SSO) product in place. According to Duo product documentation,13 “By default, Duo Authentication for\r\nWindows Logon will ‘fail open’ and permit the Windows logon to continue if it is unable to contact the Duo\r\nservice.” This offensive security technique has been documented since at least 2018.14\r\nCode 5. MFA bypass commands (click to enlarge)\r\nBeing Persistent at Exfiltration\r\nIn one of the IR engagements, Threat Actor 1 persistently attempted to exfiltrate data using three different\r\nmethods and tools until they succeeded.\r\nFirst, Threat Actor 1 attempted many times to use Rclone15 to exfiltrate data. Threat Actor 1 tried to masquerade\r\nthe Rclone executable under different system and legitimate software executable names. Examples of such\r\nmasquerading were to rename Rclone as svchost.exe and to copy it to an unusual place or to rename it as\r\nIvan i ti Cloud Software.exe (Threat Actor 1’s spelling mistake).\r\nhttps://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\r\nPage 8 of 10\n\nFigure 8. Example of Rclone detection by the Falcon platform (click to enlarge)\r\nThreat Actor 1 then downloaded FileZilla from the legitimate website.16 FileZilla is freely available FTP software\r\ncommonly used by threat actors to exfiltrate data over FTP or SFTP; however, this was blocked at the network\r\nlevel.\r\nFinally, Threat Actor 1 downloaded the MEGA17 client software to exfiltrate data to a MEGA cloud account.\r\nThreat Actor 1 used the defense evasion previously mentioned to effectively bypass the DNS-based network\r\nfiltering that was in place in the victim’s network.\r\nRecommendations\r\nALPHA SPIDER affiliates have demonstrated the ability to perform their operations and act on their objectives in\r\nrelatively short time frames. Defenders need to acknowledge this fact, invest in a state-of-the-art endpoint\r\nprotection platform and ensure a proper detection handling process or playbook is in place in their organization.\r\nAll detections should be thoroughly investigated and responded to in a timely manner to stop breaches.\r\nIt is also important to note that threat actors — like ALPHA SPIDER affiliates — have the ability to move to\r\nmalware-less attacks by leveraging dual-purpose administration tools and legitimate user accounts to perform their\r\nmalicious activities inside victims’ environments. Human threat hunters like those provided by CrowdStrike\r\nFalcon® Adversary OverWatch™ help identify this activity to ensure your organization can respond in a time-critical manner.\r\nConclusion\r\nALPHA SPIDER affiliates constantly demonstrate the use of numerous offensive techniques, leverage a large tool\r\nset — including various vulnerability exploits — and are extremely persistent at successfully exfiltrating data.\r\nhttps://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\r\nPage 9 of 10\n\nHowever, it does appear that the different ALPHA SPIDER affiliates who performed the actions described in this\r\nblog post have no specific operational security (OPSEC) measures in place to avoid being detected. This lack of\r\nOPSEC measures gives defenders numerous opportunities to detect and respond to ALPHA SPIDER affiliates’\r\noperations, as long as they are able to respond in a fast and effective way in the scenario of an ongoing breach.\r\nAdditional Resources\r\nDownload the CrowdStrike 2024 Global Threat Report for details of key threats and trends that defined the\r\n2023 threat landscape, the adversaries driving this activity and the steps you can take to defend your\r\norganization this year.\r\nLearn more about the adversaries CrowdStrike tracks in the CrowdStrike Adversary Universe.\r\nLearn about our threat intelligence and hunting subscriptions.\r\nExperience how the industry-leading CrowdStrike Falcon® platform protects against modern threats. Start\r\nyour 15-day free trial today.\r\nFootnotes\r\n1. https://nvd.nist.gov/vuln/detail/CVE-2021-44529\r\n2. https://nvd.nist.gov/vuln/detail/CVE-2021-40347\r\n3. https://github.com/Fahrj/reverse-ssh\r\n4. https://nmap.org/\r\n5. https://github.com/dirkjanm/mitm6\r\n6. https://github.com/lgandx/Responder\r\n7. https://nvd.nist.gov/vuln/detail/CVE-2021-21972\r\n8. https://github.com/robertdavidgraham/masscan\r\n9. https://www.veeam.com/\r\n10. https://lolbas-project.github.io/lolbas/Binaries/Certutil/\r\n11. https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html\r\n12. https://github.com/sadshade/veeam-creds\r\n13. https://help.duo.com/s/article/1081?language=en_US\r\n14. https://www.pentestpartners.com/security-blog/abusing-duo-2fa/\r\n15. https://rclone.org/\r\n16. https://filezilla-project.org/\r\n17. https://mega.nz/\r\nSource: https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\r\nhttps://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\r\nPage 10 of 10\n\n https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/ \nFigure 1. Example of KoloVeeam execution detected by the CrowdStrike Falcon® platform (click to enlarge)\nKoloVeeam is a simple tool that extracts and decrypts user credentials stored in the VeeamBackup database.\n Page 3 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/" ], "report_names": [ "anatomy-of-alpha-spider-ransomware" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "86ab9be8-ce67-4866-9f66-1df471e9d251", "created_at": "2024-05-29T02:00:03.942487Z", "updated_at": "2026-04-10T02:00:03.641939Z", "deleted_at": null, "main_name": "Alpha Spider", "aliases": [ "ALPHV Ransomware Group" ], "source_name": "MISPGALAXY:Alpha Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434463, "ts_updated_at": 1775791779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ede7a171d8d96e4bf02144ef76697cfd941da6e3.pdf", "text": "https://archive.orkl.eu/ede7a171d8d96e4bf02144ef76697cfd941da6e3.txt", "img": "https://archive.orkl.eu/ede7a171d8d96e4bf02144ef76697cfd941da6e3.jpg" } }