Day 21: BlackCat Ransomware

BlackCat ransomware is completely command-line driven, human-operated, and highly configurable. This allows the ransomware to use different encryption routines spreading through different computers killing VMs and ESXi VMs and automatically wiping ESXi snapshots preventing data recovery. Each executable including the JSON configuration allows extensions customization, ransom notes, how the data will be encrypted, excluded folders/files, and automatically terminates services and processes. BlackCat uses Rust Standard Libraries found on Github within its source code which when compiled provides the framework to enumerate shares, servers, traverse the file system, and laterally propagate the ransomware payload with the access token being the trigger which is found in a batch file named start.bat. A built function uses PsExec to accomplish the self-propagation and has a built-in anti-recovery method that deletes the shadow volume copy using vssadmin.exe. Additionally, the ransomware terminates processes, including backup software, database servers, Microsoft Exchange, Office applications, and mail clients as well as Windows services preventing files from being encrypted. To keep files open during the encryption process, ALPHV BlackCat uses Windows Restart Manager API to close processes and shut down Windows services.