The structural complexity of the menuPass/APT10 Umbrella illustrates one of the fundamental challenges of threat intelligence: threat actors are not always well-defined or homogenous.
ALPHV/BlackCat brings a unique layer of complexity to the puzzle, as it is sometimes viewed as Rust-based ransomware available as a service, and sometimes referred to as a threat actor group responsible for creating and monitoring what is offered as a service.
MITRE Engenuity places ALPHV/BlackCat squarely in the latter category, explaining that “ALPHV/BlackCat, a ransomware-as-a-service, emerged in 2021 to target a variety of industries with a flexible ransomware strain capable of cross-platform attacks against Windows, Linux, and VMware systems.”
MITRE Engenuity borrowed “signature behaviors” from both menuPass and ALPHV/BlackCat to engineer “compromises of multiple subsidiaries through overlapping operations focused on evading defenses, exploiting trust relationships, encrypting data, and preventing system recovery.”
The evaluation of menuPass employed a combination of Living-Off-The-Land techniques, custom, fileless malware, anti-analysis and abuse of trusted third-party relationships to access credentials, as well as mimicking ALPHV/BlackCat defense evasion techniques, in addition to exfiltrating data, encrypting data, destroying data and impeding system recovery.
Where are they now?
While the TTPs used in MITRE Engenuity Managed Services assessments are well known and documented, threat actors are not fixed in time. Trend™ Research continues to track both menuPass and ALPHV/BlackCat.
The nation-state-sponsored cyberespionage group menuPass (APT10 Umbrella) constantly changes targets depending on the nation state that is funding it. Its objectives are essentially the same: information brokering, identity theft, and related activities. In 2018, members of the group were reportedly indicted, but the group itself has since resurfaced, making headlines for an apparent (failed) intrusion into an Indian vaccine manufacturer during the pandemic, and then for its role in A41APT’s multi-industry data theft campaigns.
Because menuPass has so many subgroups and offshoots, it would be inaccurate to attribute specific campaigns to this umbrella organization or to definitively identify a single motivation, toolset, or TTPs.
The ALPHV/BlackCat group that “inspired” the MITRE Engenuity attack approach in this year’s managed services evaluation has disbanded, splintering amid internal fighting over the ransom paid by Change Healthcare in winter 2024. Still, ransomware is a lucrative business, so ransomware threat actor groups tend to burn out, regroup, and re-emerge.
In general, threat actors’ TTPs are becoming increasingly similar in response to cybercrime “best practices” and evolving security technologies.
Threat information is important
Protecting against attackers like menuPass and ALPHV/BlackCat requires a combination of advanced cybersecurity tools and cutting-edge threat intelligence. The importance of the second part of this formula cannot be underestimated. Understanding the source of the threat, its motivation, and the attacker’s next move will help you make better and more effective decisions to track and mitigate the threat.
Trend Micro™ Managed Detection and Response (MDR) services are built on the Trend Vision One™ platform and are based on threat intelligence from Trend Research and findings from the Trend Micro™ Zero-Day Initiative™ (ZDI). Trend Vision One provides automated detection and response capabilities, while Trend Research provides insight into how threats behave and how to respond.
Beyond advanced persistent threats and ransomware, our current focus for Trends Research is securing AI, cloud and network threats, and understanding the full scope of the risk landscape – what it consists of and how it is changing. We are committed to continually providing cybersecurity insights, delivering the most effective managed security services possible, and driving advancements in security technology.
Next steps
To learn more about Trend MDR, XDR, and other related topics, check out these additional resources:
