In 2023, Slade Shipping in the USA fell victim to a sophisticated ransomware attack orchestrated by the ALPHV ransomware group. The intrusion began with a malicious phishing email containing a modified IcedID variant, which facilitated the deployment of ScreenConnect for remote access. Attackers leveraged advanced tools, including Cobalt Strike beacons and CSharp Streamer RAT, to escalate privileges, harvest credentials, and move laterally across the network. A custom exfiltration tool, confucius_cpp, was used to extract sensitive data before deploying the ALPHV ransomware payload. Prior to encryption, backups were deliberately deleted to hinder recovery. The attack resulted in severe operational disruption, including potential data breaches of sensitive corporate and customer information, alongside a ransom demand communicated via a note referencing ALPHV’s Twitter profile. The incident forced Slade Shipping to grapple with extended downtime, financial losses, and reputational damage, while the full scope of compromised data remained under investigation.
Source: https://gbhackers.com/alphv-ransomware-rdp-screenconnect-deployment/
TPRM report: https://www.rankiteo.com/company/slade-shipping
"id": "sla526092125",
"linkid": "slade-shipping",
"type": "Ransomware",
"date": "1/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'shipping/logistics',
'location': 'USA',
'name': 'Slade Shipping',
'type': 'company'}],
'attack_vector': ['phishing (malicious email)',
'forked IcedID malware',
'ScreenConnect (remote access)',
'Cobalt Strike beacons',
'CSharp Streamer RAT',
'custom data exfiltration tool (confucius_cpp)'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['sensitive corporate '
'information']},
'description': 'In 2023, Slade Shipping in the USA was targeted by the ALPHV '
'ransomware group. The attack began with a malicious email '
'containing a forked IcedID variant, which led to the '
'installation of ScreenConnect for remote control. The '
'attackers used various tools, including Cobalt Strike beacons '
'and CSharp Streamer RAT, to gain credentials and move '
'laterally within the network. Sensitive information was '
'extracted using a custom tool called confucius_cpp. The final '
'payload, ALPHV ransomware, was deployed after deleting '
"backups. A ransom note referencing the group's Twitter was "
'left post-encryption. The consequence of the attack was '
"significant disruption to Slade Shipping's operations and "
'potential data breaches.',
'impact': {'data_compromised': True,
'downtime': True,
'operational_impact': 'significant disruption',
'systems_affected': True},
'initial_access_broker': {'backdoors_established': ['ScreenConnect',
'Cobalt Strike beacons',
'CSharp Streamer RAT'],
'entry_point': 'malicious email (phishing)',
'high_value_targets': ['credentials',
'sensitive corporate data']},
'motivation': ['financial gain (ransom)', 'data theft'],
'post_incident_analysis': {'root_causes': ['successful phishing attack',
'lack of backup resilience '
'(backups deleted)',
'lateral movement via stolen '
'credentials']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'ALPHV (BlackCat)'},
'threat_actor': 'ALPHV (BlackCat) ransomware group',
'title': 'ALPHV Ransomware Attack on Slade Shipping (2023)',
'type': ['ransomware', 'data breach', 'credential theft', 'lateral movement']}