BlackCat ransomware attacks predominantly target US organizations; however, the malware has also been observed targeting organizations in Canada and Europe.
Krebs on Security reports that BlackCat recently “unseized” its darknet server and announced that affiliates can target hospitals and nuclear power plants outside Russia or Commonwealth of Independent States countries.
The Origins of BlackCat Ransomware
BlackCat ransomware, first seen in 2021, is an encryption-based malware family with unorthodox programming language, advanced tactics techniques and procedures (TTPs), and distinct payment methods – earning itself a place as one of the most sophisticated threats of its type.
Blackcat employs multiple infection vectors to gain entry to networks, including emails, hijacked websites, and security flaws in outdated software. Once inside a network, Blackcat exploits vulnerable servers to encrypt files before demanding payment from victims for decryption keys. Furthermore, the malware targets critical infrastructure, causing disruptions and financial losses for companies and government agencies that fall prey.
BlackCat employs advanced attack methodologies that make its infection harder for antivirus software to identify and defend against. One such strategy used by BlackCat is polymorphic coding which changes with each infection, making it harder for the security software to identify and defend against potential threats.
BlackCat attackers also tend to target businesses with large budgets for decryption keys, in an apparent effort to maximize profits and encourage affiliates to attack more victims; it offers affiliates up to 90% of payouts compared with typically 80%-90 on offer by other ransomware-as-a-service gangs.
BlackCat stands out from its competition through its use of “triple extortion.” BlackCat affiliates are known to use multiple methods of coercion against targets – encryption, ransom demands and exfiltrate data are just three. Furthermore, DDoS attacks may be deployed against their targets as part of this extortion campaign.
BlackCat team tactics, techniques, and procedures have been heavily influenced by other cybercriminal gangs such as Darkside and BlackMatter (now defunct RaaS gangs), with various operators from BlackCat having links to both. Furthermore, an FBI Flash report in April 2022 detailed IOCs for BlackCat attacks since its most recent attacks were being undertaken.
Blackcat’s latest attack targetted payment service vendor Tipalti using Cobalt Strike framework and LOLBins as lateral movement tools while customized scripts performed environment reconnaissance and discovery on target machines. On Windows systems, BlackCat deleted Volume Shadow Copies while also enumerating local drives to encrypt eligible files, prompting infected victims to connect via Tor with BlackCat’s payment portal for payment portal access.
The Spread of BlackCat Ransomware
BlackCat ransomware has quickly become the second-most prevalent ransomware-as-a-service variant after LockBit in the wild. Furthermore, this Rust-based variant has been observed across industries with victims such as law firms, healthcare organizations and industrial manufacturing organizations being targeted by it.
The FBI recently announced its infiltration of BlackCat, leading to website seizures and the release of decryption tools for hundreds of victim companies. As a response, ALPHV and BlackCat temporarily took their Tor-based leak website offline on December 7, but quickly came back online offering victims decryption keys.
BlackCat’s operations are causing significant disruption for victims worldwide through their affiliate monetization strategy of offering 90 percent commissions to affiliates, leading them to pay ransom payments, lose productivity, and incur the costs associated with incident response. According to an FBI search warrant unsealed today, over 200 enterprise organizations were compromised since November 2021 and used triple extortion techniques such as publishing stolen data or initiating distributed denial-of-service (DDoS) attacks alongside installing ransomware.
Attacks often start with spearphishing campaigns targeting lax security practices and exploiting known vulnerabilities, like CVE-2016-0099 for privilege escalation or three ProxyShell vulnerabilities that were disclosed two years ago – Mimikatz, Cobalt Strike, Rsync or other remote control apps are typically utilized once inside networks for further movement and asset compromise.
SophosLabs recently conducted an investigation and determined that BlackCat/ALPHV gained entry to systems through multiple means, from exploiting vulnerabilities in exposed services and weak credentials, as well as social engineering techniques. Once inside, BlackCat/ALPHV used Windows administrative tools and Sysinternals utilities to gain additional privileges and carry out malicious tasks with administrative privileges.
Organizations can safeguard themselves against BlackCat ransomware variants by installing updates, implementing strong password policies and engaging in safe online behavior. Storing backups off-network provides additional protection from threats that try to infiltrate and encrypt files.
BlackCat’s Encryption Methods
As is common with ransomware variants, BlackCat encrypts victim’s data and locks them out of their systems, before the attackers threaten to delete decryption keys, publish data publicly or launch DDoS attacks if victims do not pay up as demanded – an approach known as triple extortion.
Cyber criminals using BlackCat often target large entities such as companies and organizations. Their sophisticated technical arsenal includes exploiting software vulnerabilities as well as using various indicators of compromise (IOCs) such as encryption extensions, file hashes and IP addresses to penetrate systems.
BlackCat attacks target businesses and organizations alike; however, individual users may also fall prey to these threats. To safeguard yourself from BlackCat threats it is vital that people regularly update and back up their software, use reliable antivirus programs, and keep their computers away from public networks such as the internet.
Researchers have given Sphynx ransomware its official name because it has shown evidence of evolving to avoid detection. For instance, this variant has adopted open-source tools like Impacket and RemCom for lateral movement and remote code execution as well as adopting raw structures with junk code instead of its typical JSON format to further cover its tracks.
Sphynx is developed using Rust programming language, a popular choice among cybercriminals because it is fast, secure, stable and allows for improved memory management. Security experts predict an increase in threats utilizing this programming language.
Once launched, Sphynx commences its search using a loop of FindFirstFile and FindNextFIle to discover all files stored on the computer. Next, an RSA public key stored in its configuration is used to encrypt each file; eventually it is written back onto disk using WriteFile with an extension specified during setup. When complete, Desktop wallpaper changes as instructed while victims receive ransom notes with instructions on how to pay up for demanded sum.
BlackCat’s Decryption Methods
BlackCat/ALPHV operates as a ransomware-as-a-service (RaaS), using multiple attack vectors to gain entry to target systems. This may involve exploiting vulnerabilities present in exposed services or employing social engineering tactics to persuade victims into breaching their security. Regardless of its method of entry, however, BlackCat/ALPHV malware can encrypt any files and directories within any target system.
Once a system is compromised, the BlackCat group often communicates with victims to deliver a ransom demand and set an installment schedule. Victims are cautioned against trying to modify files themselves or using third-party recovery tools which would alert their attacker. Furthermore, paying out will not ensure file retrieval nor eradicate future attacks.
BlackCat variant Sphynx was recently unveiled, aiming to increase stealth capabilities of this threat group and making its presence harder for defenders to detect and analyze its behavior. Like its predecessors, Sphynx uses AES or ChaCha20 encryption algorithms depending on configuration; appending custom extensions with each encrypted data file it creates; it can create ransom notes; modify victim wallpaper; delete Windows event logs via command execution.
Sphynx differs significantly from its predecessors in several ways; Malwarebytes’ threat research team estimates that it obfuscates commands by removing an access token argument to avoid detection. When combined with modified JSON files to specify encryption algorithms and settings, this practice hinders their analysis by security teams.
Sphynx remains highly stealthy; however, its entry point into vulnerable networks remains via various attack vectors, including exploiting vulnerabilities in exposed services or taking advantage of weak credentials. Once inside, BlackCat group’s goal is to demand ransom payments via BitCoin or Ethereum from victims before demanding more.
Decrypting BlackCat files is no easy feat, but there are companies who specialize in doing just that – providing an alternative to paying ransom while helping organizations restore their systems without risking further attacks or outages.
