BlackCat Ransomware and Its Dangers

Static and dynamic analysis of BlackCat ransomware (PROMIS) [Video]

Video uploaded by Malware Research Academy on February 17, 2022

BlackCat Ransonware Is Garnering Attention

The FBI has issued a warning to the public regarding a recent ransomware known as the BlackCat. After a string of recent high-profile attacks, the BlackCat ransomware is now garnering much attention from the authorities and it has become one of the most notorious kind of ransomware in recent times.

The group behind the ransomware has been in operation since the November of last year. BlackCat (also known as ALPHV) is a relatively new ransomware-as-a-service (RaaS) operation, which has been aggressively recruiting affiliates from other ransomware groups and targeting organizations worldwide. The group has launched major attacks such as the disruption of OilTanking GmbH, a German fuel company in January, the February attack on aviation company Swissport, and most recently the group has claimed responsibility for attacks against two universities in the United States, Florida International University and the University of North Carolina A&T.

Research into the ransomware attacks by security agencies have preliminarily shown that BlackCat is primarily delivered via third-party frameworks and toolsets (for example, Cobalt Strike) and uses exploitation of exposed and vulnerable applications (for example, Microsoft Exchange Server) as an entry point. It is also noteworthy that BlackCat is the first ransomware family to be use the Rust programming language. Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency.

It is syntactically similar to C++, but can guarantee memory safety by using a borrow checker to validate references. It achieves memory safety without garbage collection and reference counting is optional. It is a systems programming language with mechanisms for low-level memory management, but also offers high-level features such as functional programming. Rust has grown in popularity and investment in the industry with many major companies adopting the language namely Amazon, Discord, Dropbox, Facebook (Meta), Google (Alphabet), and Microsoft. Rust has been voted the “most loved programming language” in the Stack Overflow Developer Survey every year since 2016 and was used by 7% of the respondents in 2021. BlackCat has multiple versions that work on both Windows and Linux operating systems and in VMware’s ESXi environment. Cybersecurity analysts have found a nexus between BlackCat and the BlackMatter and DarkSide ransomware operations. They infer that the BlackCat team consists of various RaaS group affiliates including BlackMatter rather than being a rebranding of BlackMatter as believed before. It was initially believed that much of the ransomware’s attacks have targeted several European critical infrastructure firms, but Cisco has noted in a report that more than 30% of BlackCat compromises have targeted US firms. BlackCat, like any other ransomware, extorts money from targeted organizations by stealing sensitive data and threatening to release it publicly and encrypting systems, but this ransomware goes one step further and also threatens to launch a distributed denial-of-service (DDoS) attack if its demands are not met. This technique is known as “triple extortion.”

BlackCat, like any other ransomware, extorts money from targeted organizations by stealing sensitive data and threatening to release it publicly and encrypting systems, but this ransomware goes one step further and also threatens to launch a distributed denial-of-service (DDoS) attack if its demands are not met. This technique is known as “triple extortion.”

BlackCat has gained traction since late 2021 by offering payouts to its affiliates of up to 90%. FBI in their statement allege, “as of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using Rust, considered to be a more secure programming language that offers improved performance and reliable concurrent processing.” BlackCat has multiple features at its disposal. First is the cyrptor of the same name which is written in the Rust language and notably the attackers managed to create a cross-platform tool with versions of the malware that works both in Windows and Linux environments. Subsequently, it deploys the Fendr utility, which is used to exfiltrate data from infected network.

BlackCat also employs the PsExec tool for lateral movement in the victim’s network; Mimikatz, the well-known hacker software and Nirsoft software to extract network passwords. The FBI has advised people to not pay the attackers if compromised as this would not guarantee the recovery of compromised data and has urged organizations to proactively deploy cybersecurity defenses that can help prevent ransomware attacks. They have also suggested employing up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.

Unique hard-to-crack unique passwords can also protect sensitive data and accounts as well as enabling multi-factor authentication. Encrypting sensitive data wherever possible is also an option to stave off such attacks and finally educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data would also be helpful.