Chris Swagler | March 26th, 2022

BlackCat is a growing Ransomware-as-a-Service (RaaS) group targeting several worldwide organizations over the past few months. Rumors have surfaced of a relationship between BlackCat and the BlackMatter and DarkSide ransomware groups known for attacking the Colonial Pipeline. Known as “ALPHV”, BlackCat ransomware has gained attention using double extortion attacks against companies in which the files are encrypted then disclosed. The group first appeared in November 2021 and breached several companies around the world. However, more than 30% of the compromises involved companies based in the United States.

Several security companies discovered the connection between the BlackCat, BlackMatter, and DarkSide ransomware groups. According to a BlackCat representative, the operators are affiliates from other RaaS operations, and the actors built on a foundation of previous information gained as members of other groups. Affiliates are groups that breach companies’ networks and implement ransomware provided by the RaaS operators. If true, BlackCat appears to be a vertical business expansion case in which it controls the upstream supply chain by making a service critical to their business (the RaaS operator) better suited to their needs and adding another source of revenue. When there is a lack of trust in the supply chain, vertical expansion is a common business strategy. The BlackCat representative mentions a flaw in DarkSide/BlackMatter ransomware which allows victims to decrypt their files without paying the ransom. For several months, victims used the vulnerability which resulted in big losses for affiliates.

While investigating a BlackCat ransomware attack in December 2021, a cybersecurity company discovered a domain and associated IP addresses were used to maintain persistent access to the network. The domain was also used in a BlackMatter attack in September 2021. Further analysis revealed significant similarities between the two ransomware variants, including tools, file names, and techniques. Because affiliates are responsible for breaching systems and installing ransomware, operations carried out by the same ransomware family are likely to differ in techniques and procedures. RaaS operators, on the other hand, are known for making training materials, general techniques, and tools available to their affiliates.

One difference from RaaS affiliates is the command and control (C2) infrastructure used for certain attacks. However, the overlapping C2 address discovered in the BlackMatter and BlackCat attacks led the cybersecurity company to believe that the same affiliate was responsible for both attacks. The connection indicates that a BlackMatter affiliate was an early adopter of BlackCat, possibly during the first month of operation, proving strong ties between BlackMatter and BlackCat.

The cybersecurity company analyzed the attack method that appears to be the same affiliate/threat operators in the December BlackCat attack and September BlackMatter attack. The attacks are like the other human-operated ransomware attacks: initial compromise followed by an exploration and exfiltration phase, then attack preparation, and finally attack execution. The table below shows the similarities and differences in the MITRE ATT&CK® framework between both attacks.

The initial compromise vector for the BlackCat attack is unknown and it’s likely the attack occurred on a system not mentioned or that a previously compromised account was used to log into an exposed system. In the BlackMatter attack, there’s evidence that threat actors gained initial access by exploiting the Microsoft Exchange vulnerabilities. However, the cybersecurity company was unable to link attempts to exploit vulnerabilities in Microsoft Exchange to the attack, resulting in low confidence that the attack began with the exploitation of a vulnerability in Exchange.

The threat operators ensured they had remote access to multiple internal systems in addition to the access provided by the first exploitation vector. The actors utilized a tool called reverse-ssh, which was created with the C2 server address incorporated, to establish reverse SSH tunnels and provide reverse shells to the attacker during the BlackCat attack. Reverse-ssh was implemented to C:\ directory and named system, Windows, or cache task. The group utilized a similar technique, although with a difference, during the BlackMatter attack: GO Simple Tunnel (GOST). GOST is a Go-based tunneling tool used to create a reverse SSH tunnel to a C2 server under the threat actor’s control and was used by BlackCat. The deployed GOST file was named “system.exe,” which was like the file name used in the BlackCat reverse-ssh attack. The same C2 domain was used in both attacks as seen below.

Logs were disabled on several systems to avoid being detected during the BlackCat attack. An anti-rootkit tool called Gmer was used in a small number of key systems to disable endpoint detection. On a few key systems, local and domain user credentials were collected by dumping the LSASS process memory and extracting the credentials using Microsoft Sysinternals Procdump and Dumpert. Threat operators used comsvcs.dll directory to dump LSASS memory during the BlackMatter attack and a tool called “steal.exe” to harvest data in addition to Windows login credentials during the BlackCat attack.

Before executing the ransomware, the threat operators in both attacks performed several tasks preparing systems for successful execution. The operators logged in to the domain controller, opened the group policy management interface, and then dropped and executed a file called “apply.ps1” which was created and prepared to execute the ransomware throughout the domain. The execution resulted in rewriting the group policy files to disk forcing the deployment of the group policy. Before encrypting the files, the BlackCat operators use a script called “defender.vbs” and BlackMatter operators use the same script called “def.vbs”. When encryption begins, the ransomware file named <num>.exe, used in both the BlackCat and BlackMatter attacks, is dropped on the domain servers inside the SYSVOL folder, which makes it accessible on the NETLOGON network share and by all users in the domain. Because these files are encrypted, they are executed by all systems from the remote share.

With more ransomware groups utilizing the same attacks tactics, techniques, and procedures as other affiliates, it’s critical for companies to remain ahead of the current threat landscape and enhance network security. At SpearTip, our certified engineers specialize in incident response capabilities and handling breaches with one of the fastest response times in the industry. Additionally, our engineers continuously monitor companies’ data networks at our Security Operations Center for potential ransomware threats like BlackCat and BlackMatter. The best way for companies to stay vigilant is to be proactive with their network security. SpearTip ShadowSpear, our endpoint detection and response platform, is an excellent proactive tool that prevents cyberattacks by optimizing visibility within cloud, network, and endpoint devices providing an extra layer of protection regardless of platform.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.