New Sphynx encryptor used in ALPHV/BlackCat attacks against Azure Storage

Azure Storage instances have been targeted by the ALPHV/BlackCat ransomware gang in new attacks with an updated Sphynx encryptor with custom credential support, BleepingComputer reports. ALPHV/BlackCat attackers leveraged a stolen one-time password to infiltrate an organization's Sophos Central account before disabling Tamper Protection and altering security policies to eventually encrypt systems and remote Azure cloud storage, according to a Sophos X-Ops report. After using stolen Azure keys to access the impacted organization's Azure portal, threat actors proceeded to leverage AnyDesk, Atera, Splashtop, and other remote monitoring and management tools. Meanwhile, the new Sphynx variant used in the attack, which was initially identified in March, was recently found by Microsoft to contain the Impacket networking framework and Remcom hacking tool. The findings come after ALPHV/BlackCat was reported to have begun using a new extortion scheme involving a clear website for exposing stolen data, as well as a data leak API.