Azure cloud storage is now encrypted by the BlackCat (ALPHV) ransomware gang using compromised Microsoft credentials and the freshly discovered Sphynx encryptor. Sophos X-Ops incident responders found that the attackers employed a new Sphynx variant with added support for using bespoke credentials while looking into a recent breach.
They disabled Tamper Protection and changed the security policies after using a stolen One-Time Password (OTP) to log into the Sophos Central account. After stealing the OTP from the victim’s LastPass vault using the LastPass Chrome extension, these operations were made available.x000D They then added the.zk09cvt extension to all locked files and encrypted the Sophos customer’s systems as well as the remote Azure cloud storage. The ransomware developers were able to successfully encrypt 39 Azure Storage accounts in total.