BlackCat
Known for its unconventional methods and use of advanced extortion techniques, BlackCat has quickly risen to prominence in the cybercrime community. As this ransomware group forges its way to gain more clout, we examine its operations and discuss how organizations can shore up their defenses against it.
View infographic of “Ransomware Spotlight: BlackCat”
(Last update: September 15, 2023) First observed in mid-November 2021 by researchers from the MalwareHunterTeam, BlackCat (aka AlphaVM, AlphaV, or ALPHV) swiftly gained notoriety for being the first major professional ransomware family to be written in Rust, a cross-platform language that enables malicious actors to customize malware with ease for different operating systems like Windows and Linux, thus affording a wide range of enterprise environments.
Since then, BlackCat ransomware has frequently made the headlines for its successive attacks on high-profile targets and its use of triple extortion which has endowed the group with a distinct competitive edge over other RaaS operators. Aside from exposing exfiltrated data, ransomware actors that use triple extortion threaten to launch distributed denial-of-service (DDoS) attacks on their victims’ infrastructure to coerce them to pay the ransom.
According to the Federal Bureau of Investigation’s (FBI) advisory published on April 19, 2022, several developers and money launderers for BlackCat have links to two defunct ransomware-as-a-service (RaaS) groups – DarkSide and BlackMatter – suggesting that they have been leveraging established networks and extensive experience in the RaaS business.
Now that BlackCat is deemed as a significant threat, it is thus incumbent for organizations to familiarize themselves with the knowledge of the tactics, techniques, and procedures (TTPs) that the BlackCat gang employs. Reports published in late September 2022 noted the group’s use of an upgraded version of the ExMatter data exfiltration tool and of Eamfo, a malware designed to steal credentials stored by Veeam backup software, according to threat researchers. BlackCat ransomware’s constantly evolving malware arsenal, its growing affiliate base, and ties to underground networks enable it to acquire a larger stake in the RaaS marketplace.
What do organizations need to know about BlackCat?
Given BlackCat’s reputation for sophisticated and unorthodox methods, the following reasons account for its rising popularity and expanding foothold in the criminal underground:
- BlackCat made its leak site public, thus making stolen information from its victims searchable and accessible. Leak sites have customarily been hosted on Tor sites that restrict the visibility of information to victims, threat researchers, and other cybercriminals. BlackCat’s public leak site makes stolen information accessible to everyone, thus exerting more pressure on victims to accede to the malicious actors’ demands.
- It offers its affiliates more substantial payouts, reaching as much as 90% of the paid ransom. To rapidly grow one’s influence in a highly competitive field, researchers noted BlackCat’s aggressive efforts to recruit new affiliates, which is to give payouts much heftier than the usual serves, as a master stroke in this regard. In addition, threat researchers noted that the group has posted advertisements in underground forums like the Ransomware Anonymous Market Place (RAMP) and other Russian-speaking hacking forums to entice affiliates to join its network.
- It uses a private access key token to limit the access of external parties to the group’s negotiation site. BlackCat operators provide the private access key tokens exclusively to the concerned parties, therefore only those with a copy of the ransom note paired with the same key used for the ransomware execution can enter the negotiation site.
- Its method of incursion to the target organization varies according to the RaaS affiliate that deploys the ransomware payload. A Microsoft report said that researchers have observed BlackCat affiliates exploit different attack vectors that include Microsoft Exchange server vulnerabilities to access the target network, aside from the common entry points like remote desktop applications and stolen credentials. The report also mentioned that they have seen at least two known affiliates that have used BlackCat ransomware namely DEV-0237 – known for having deployed Ryuk, Conti, and Hive ransomware – and DEV-0504, which has also utilized Ryuk previously, and REvil, BlackMatter, and Conti ransomware.
- Security researchers discovered BlackCat’s use of the Emotet botnet to deploy its ransomware payload. According to a report published on September 17, 2022, BlackCat was observed to have used the Emotet botnet malware — previously used by other notorious RaaS groups like Conti — as an initial entry point for its infection chain. The researchers further stated that the botnet was deployed to install a Cobalt Strike beacon on systems that had been breached as a second-stage payload to enable lateral movement. This development indicates BlackCat’s ability to pivot quickly, which shows it is capable of carrying out more pernicious attacks.
Since it first came out in 2021, BlackCat has victimized organizations from a variety of industries that include construction, retail, manufacturing, technology, and energy, to name a few.
A massive attack on German oil companies in 2022 signaled the group’s foray into big-game hunting. Handelsblatt, a German news publication, reported in February that 233 gasoline stations across northern Germany were hit by the ransomware incident. The supply chain attack put operations to a grinding halt and compelled the affected organizations to reroute the supplies to other depots.
BlackCat claimed the attack on an Italian energy agency that advocates for renewable energy sources in September 2022. Prior to this, BlackCat reportedly added an entry on its Tor leak site and asserted that it had exfiltrated roughly 700 gigabytes (GB) of the agency’s data.
A European government was one of the group’s high-profile targets in late May 2022. The group reportedly demanded US$5 million in ransom in exchange for software to decrypt the locked computer systems. The attack resulted in a massive disruption of government services as thousands of workstations were compromised.
BlackCat’s attacks have been detected in multiple locations globally, but organizations based in the US lead the victim count, followed by some in Europe and Asia-Pacific. The next sections discuss the types of industries and countries affected by BlackCat’s attacks in more detail.
In December 2022, the operators behind BlackCat ransomware used a Telegram account to advertise that their RaaS offering now includes a prepackaged Log4J Auto Exploiter. They claim that the tool can be used to propagate BlackCat laterally within the network.
In September 2023, the BlackCat group claimed responsibility for the incident that affected the operations of MGM Resorts International.
Source: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat