Sphynx Virus: A New Extortionist Weapon

A group of hackers behind the Blackcat ransomware recently released an upgraded version of their malware called SPhynx. The new version, announced in February 2023, prioritizes speed and secrecy to circumvent protective measures and accomplish their goals. IBM Security X-Force conducted their analysis and found that SPhynx has “updated opportunities that help avoid detection.”

Vx-underground first discovered the new version in April of 2023, and then TrendMicro described the Linux version in detail, which “concentrated primarily on the encryption procedure.”

The Blackcat ransomware has become a serious threat since its development of the first extortion virus based on Rust, and it has affected over 350 targets as of May 2023. The group uses the double extortion scheme, where they deploy special tools such as Exmatter to exploit confidential data before encrypting.

The Alphv/Blackcat hackers receive primary access to target networks through third-party actors called Primary Access Brokers (PAB), who use their own malicious software to steal legitimate accounting data. The new version of SPHYNX contains encrypted lines and garbage code to avoid detection, and the group uses a separate bootloader to decipher the payload of the extortion virus.

Despite law enforcement agencies’ efforts, Alphv/Blackcat shows no sign of slowing down, as evidenced by its constant and active threat to organizations. Even the WithSecure study found that the group is delegating responsibilities and sharing profits with other attackers through the services of PAB.

In general, the ransomware follows the standard procedure, delaying backup copies of data, encrypting files, and leaving a ransom note. As hackers continue to improve and update their malware, organizations must remain vigilant and must take the necessary measures to protect themselves from such threats.

Sources:

/Reports, release notes, official announcements.