Day 21: BlackCat Ransomware

Common Attack Vectors

  • Phishing Emails

Vulnerabilities Exploited

  • Virtual machines
  • VMware ESXi
  • Microsoft Windows
  • GNU/Linux

Industries Targeted Frequently


Threat actors target multiple enterprises, stealing sensitive data, encrypting network files and demanding ransoms.

Recent Activity

BlackCat ransomware is executed using primarily a Rust programming language due to memory safety and performance.

BlackCat uses a triple-extortion tactic in which they steal data before encrypting devices and threaten to publish the data if victims do not pay the ransom. They also use the distributed denial-of-service (DDoS) to threaten victims if they do not pay the ransom.

BlackCat has already targeted multiple companies in numerous countries including USA, Australia, and India.

Common File Extensions


Depends on the variant

Random name extension

Known Alias


How BlackCat Ransomware is Distributed

BlackCat ransomware is completely command-line driven, human-operated, and highly configurable. This allows the ransomware to use different encryption routines spreading through different computers killing VMs and ESXi VMs and automatically wiping ESXi snapshots preventing data recovery. Each executable including the JSON configuration allows extensions customization, ransom notes, how the data will be encrypted, excluded folders/files, and automatically terminates services and processes. BlackCat uses Rust Standard Libraries found on Github within its source code which when compiled provides the framework to enumerate shares, servers, traverse the file system, and laterally propagate the ransomware payload with the access token being the trigger which is found in a batch file named start.bat. A built function uses PsExec to accomplish the self-propagation and has a built-in anti-recovery method that deletes the shadow volume copy using vssadmin.exe. Additionally, the ransomware terminates processes, including backup software, database servers, Microsoft Exchange, Office applications, and mail clients as well as Windows services preventing files from being encrypted. To keep files open during the encryption process, ALPHV BlackCat uses Windows Restart Manager API to close processes and shut down Windows services.


SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.

Translate »

Total Economic Impact™ Of SpearTip ShadowSpear