During 2021, the United States observed an increase in highly sophisticated ransomware attacks against 16 U.S. critical infrastructure sectors. The sectors include Defense Industrial Base, Food and Agriculture, Government Facilities, and Information Technology. Australia and the United Kingdom also observed an increase with ransomware actors targeting charities, public services, and local government – with the United Kingdom recognizing ransomware as their biggest cyber threat.
With ransomware techniques and tactics continuing to evolve, threat actors are starting to grow in technological sophistication. Recently, threat actors (known as ALPHV) behind the new ransomware-as-a-service (RaaS) BlackCat have proven that attackers are learning from past mistakes and are developing new ways to get the financial reward they seek. Let’s look at BlackCat ransomware and how they fit into our current threat intelligence landscape.
BlackCat ransomware was discovered by researchers in November 2021. The threat actors recruit affiliates to perform corporate breaches and encrypt devices. So far, the cybercriminals (who only go by the name ALPHV) behind the ransomware have compromised more than twenty companies and have named those companies on their leak site. Currently, ALPHV is recruiting affiliates from several ransomware gangs – including BlackMatter, REvil, and DarkSide. They have also offered affiliates up to 90% of any ransom paid by an organization.
The BlackCat leak site has been active since early December 2021 and there is speculation that the total number of victims, including those who paid a ransom, is far greater than twenty. Most of the time, victims who pay ransom don’t want to risk exposure. ALPHV’s ransom demands range from $400,000 to $3 million, with victims being given the opportunity to negotiate a lower amount if they choose to pay a ransom. They can also choose to pay in privacy-preserving monero or bitcoin, but paying in bitcoin adds 15% to the ransom amount.
Although the largest number of the threat actor’s victims are in the U.S., ALPHV and their affiliates have attacked organizations in the Philippines and Europe. The sectors being attacked are retail, transportation, construction and engineering, telecommunication, and pharmaceuticals. Although ALPHV claims to be an apolitical group who doesn’t attack the healthcare sector, one of the victims on their leak site was from the healthcare industry. However, ALPHV stated that while they don’t attack medical institutions, their rule doesn’t apply to pharmaceutical companies or private clinics.
BlackCat ransomware is a highly customizable ransomware that allows for attacks on a wide range of corporate environments. Targeting both Linux and Windows systems, BlackCat is coded in Rust (written in Russian), which is a programming language. Researchers believe that this is the first time a ransomware group has used Rust to write a ransomware strain.
Cyber security analysts state that Rust is a much more secure programming language compared to C and C++. Because Rust is so secure, it will be difficult to find coding weaknesses. Security defenders often look for those weaknesses in ransomware strains and if more threat actors are shifting toward Rust, it will be more difficult to find the weak areas. By using Rust, ALPHV’s operators are able to compile it against various operating system architectures. Rust is a customizable programming language, which means that they have the ability to pivot and individualize attacks.
Due to its fast and high performance, powerful web application development, low overhead for embedded programming, and memory management resolution; Rust has gained momentum and is a force to be reckoned with.
Image 1: BlackCat Execution
To maintain longevity, BlackCat uses the following flag to execute their ransomware: --access–token. This makes it harder to analyze BlackCat in sandboxed environments.
Source: Palo Alto
BlackCat has several evasion tactics that are used in an effort to impair or disable system defenses and stop certain applications from locking files open on disk – which may cause problems when trying to encrypt those files. Additionally, BlackCat tries to kill several processes and services to prevent any security solutions or backups an organization may have. Please see the below partial process list:
|
agntsvc |
dbeng50 |
dbsnmp |
encsvc |
excel |
infopath |
|
Isqlplussvc |
msaccess |
mspub |
mydesktopqos |
mydesktopservice |
notepad |
|
ocautoupds |
ocomm |
ocssd |
onenote |
oracle |
outlook |
|
powerpnt |
sqbcoreservice |
*sql* |
steam |
synctime |
tbirdconfig |
|
thebat |
thunderbird |
visio |
wiword |
wordpad |
xfssvcco |
|
bedbh |
vxmon |
benetns |
bengien |
pvlsvr |
beserver |
For persistence, BlackCat excludes key system and application folders from encryption, as well as key components. This is done so the system and ransomware isn’t rendered inoperable. Folder exclusions include but are not limited to:
|
system volume information |
intel |
application data |
$recycle.bin |
|
mozilla |
boot |
appdata |
perflogs |
|
windows |
|
config.msi |
tor browser |
File name exclusions include but are not limited to:
|
desktop.ini |
thumbs.db |
ntuser.dat |
windows.old |
|
ntldr |
boot.ini |
iconcache.db |
autorun.inf |
Files with extensions matching the following are also avoided:
|
themepack |
bin |
idx |
diagpkg |
|
nls |
lock |
sys |
386 |
|
mpa |
cur |
spl |
Ps1 |
Promoted in Russian speaking hacking forums, BlackCat was named as such due to a black cat favicon being used on every victim’s Tor payment site. Researchers from Trend Micro found that not only does BlackCat encrypt data, steal data before ransomware deployment, and name-shame victims, but they also conduct a distributed-denial-of-service (DDoS) attack if victims don’t pay the ransom by the deadline.
Most are familiar with double extortion as a known technique amongst ransomware gangs. This technique typically involves ransomware gangs stealing sensitive data before infecting networks and systems with ransomware. The stolen data is then used to extort the victims into paying the demanded ransom. If the ransom is not paid, the threat actor will leak the stolen data on a data leak site. ALPHV takes things a step further by adding a third layer to their extortion model – a DDoS attack if the demanded ransom isn’t paid by their deadline. Cyber security researchers are calling the third layer triple extortion.
When ALPHV interviewed with The Record, they listed the following as options available exclusively for adverts (advertisers or affiliates) who have reached the $1.5 million mark in payments:
The success of BlackCat is likely due to the fact that they recruit affiliates by posting ads in forums like Ransomware Anonymous Market Place (RAMP). During their interview with The Record, BlackCat stated that they believe there is no comparative software on the market. They provide high-quality software as well as a full range of services related to ransom (metaverse or premium concierge). They believe they are in a different weight category, and they don’t recognize other ransomware groups as competitors or business partners.
Cyber security researchers believe that BlackCat’s ransomware operators may be associated with DarkSide and BlackMatter. In November 2021, a representative from ransomware gang, LockBit, stated that BlackCat is a rebrand of DarkSide/BlackMatter.
Image 2: A Forum Post from a LockBit Representative
Source: BleepingComputer
BlackCat representatives claim that they are only DarkSide/BlackMatter affiliates who launched their own ransomware operation, but researchers believe otherwise. Last year, we published a report on BlackMatter and their re-brand as DarkSide. BlackMatter was responsible for ransomware attacks on at least four healthcare or healthcare-related organizations (a pharmaceutical consulting company, a dermatology clinic, and a medical testing and diagnostics company). DarkSide was the threat actor behind the attack on Colonial Pipeline.
During the same interview with The Record, an ALPHV representative admitted that REvil, BlackMatter, Maze, and LockBit are all connected in some way because they are adverts (advertisers or affiliates). ALPHV went on to say that adverts write software and pick a brand name. Partnerships are nothing without adverts and there is no rebranding because they have no direct relation to the partnership programs. Admittedly, APLHV borrowed the named groups advantages and eliminated their disadvantages.
Image 4: Twitter Thread from Brett Callow
Brett Callow from Emsisoft stated ALPHV is more than likely BlackMatter and he explained his reasoning in a series of four tweets via Twitter.
Source: Twitter
In May 2021, BlackCat ransomware was used in the attack on Colonial Pipeline. This attack sparked a political firestorm and although the Russian threat actor DarkSide was attributed to the attack, the threat actor blamed an affiliate for having gone rogue. DarkSide ended up walking away with 63.7 bitcoins ($4.4 million) in exchange for a decryptor. The FBI eventually recovered $2.3 million of the ransom payment and DarkSide went dark shortly after U.S. President Joe Biden told Russian President Vladimir Putin to crackdown on Russian ransomware groups or risk becoming a target for the U.S. By July 2021, Darkside rebranded as BlackMatter
Image 5: BlackCat Ransomware Encryption Alert
In BlackMatter’s case, there were encryption errors in the gang’s malware that allowed security professionals to quietly reach out to victims and restore data before a ransom was paid – which was a massive blow to BlackMatter’s profits.
Source: SentinelLabs
After the errors were discovered, DarkSide/BlackMatter fired its development team, hired a new team, then went dark in November 2021 before launching again during the same month as ALPHV (BlackCat).
Using BlackCat ransomware, attackers were able to infect computers at Mabanaft GmbH and Oiltanking GmbH Group in February 2022. The attack took down part of Germany’s fuel-distribution system and stopped payments at some filling stations. Another energy-storage company that has had IT issues recently is the Evos Group, which is located in Belgium and the Netherlands.
It’s important for you to remember that paying the ransom doesn’t automatically erase the security problems that allowed your organization to be attacked in the first place. Discovering what went wrong and why are the first steps to fixing your security problems. Avertium offers the following service to help protect our organization from being exposed to ransomware like BlackCat:
2021 Trends Show Increased Globalized Threat of Ransomware | CISA
Who Wrote the ALPHV/BlackCat Ransomware Strain? – Krebs on Security
BlackCat ransomware - what you need to know | The State of Security (tripwire.com)
Cyberattack Cripples European Oil Port Terminals (bankinfosecurity.com)
BlackCat (ALPHV) ransomware linked to BlackMatter, DarkSide gangs (bleepingcomputer.com)
LockBit, BlackCat, Swissport, Oh My! Ransomware Activity Stays Strong | Threatpost
Ransomware: Alphv/BlackCat Is DarkSide/BlackMatter Reboot (bankinfosecurity.com)
Black Cat Ransomware Tied to German Fuel Attacks and Colonial Pipeline Hackers - Bloomberg
Threat Assessment: BlackCat Ransomware (unit42.paloaltonetworks.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.
In this eBook, you will learn: