OVERVIEW
BlackCat Ransomware, also known as ALPHV, is a variant that operates under the RaaS (Ransomware as a Service) model and has target many countries and industries worldwide. The FBI released a FLASH report on the variant on April of 2022, detailing the malware and the fact that it has already compromised roughly 60 entities across the world.
Blackcat is cross-platform for Windows and Linux, due to it being coded in RUST programming language -the first to successfully do so, with RUST being viewed as more secure than alternatives.
FBI FLASH report can be found here
TARGETING
BlackCat Ransomware has been observed to target a broad spectrum of countries and industries, due to its RaaS model. The group has often requested very large sums of payments made through Monero or Bitcoin, potentially meaning its financially motivated (but that's not confirmed).
DELIVERY
Initial access is achieved with previously compromised user credentials. It uses Windows Task Scheduler and a mix of PowerShell scripts and batch files in order to set the stage for the Ransomware payload execution - the techniques mentioned include defense evasion, disabling security tools and obstruction of backup/recovery.
BLACKCAT INSTALLATION
After initial access and delivery of the early stages/preparation for the payload execution, proprietary data is exfiltrated via the Fendr tool in order to add another aspect to the extortion of the victim. Other techniques such as Propagation to other systems via PSExec and deletion of Shadow Copies is executed before the Ransomware is launched as well. When the ransomware executable (coded in RUST) is launched, files are encrypted in AES standard encryption and appended with a seven character alphanumeric extension that varies between victims.
After encryption process is completed, similar to other ransomware variants, a ransom note is dropped into each folder and a PNG image file for each user is set as their desktop wallpaper.
BLACKCAT PERSISTENCE
Persistence is achieved with the encryption of files/folders on the victim's system.
BlackCat Threat Update
The BlackCat ransomware variant, also known as ALPHV, was first observed in November of 2021. The group operates under the Ransomware-as-a-Service (RaaS) model and has targeted many countries worldwide; including the United States, Europe, South America and Philippines. They have also been observed to target industries; such as business services, construction, energy, mining, finance, logistics, manufacturing, pharmaceutical, retail, and technology. The variant remains quite active, with publicly known incidents ranging from attacks on a South American industrial company, an Italian fashion brand 'Moncler', international oil companies headquartered in Germany, and ransomware attacks on schools in the United States (including Florida International University and north Carolina A&T University).
This month (April 2022) the Federal Bureau of Investigation (FBI) released a warning in regards to the BlackCat variant, stating that the hacking group has already compromised roughly 60 entities across the world - often requesting very large sums of payments made through Monero or Bitcoin. They are also the first to successfully do so using RUST, a programming language that is viewed as more secure. Also note, that another aspect that distinguishes this variant from others, is the usage of Fendr utility in order to exfiltrate data - the only other group seen to utilize this tool is BlackMatter. The variant is cross-platform, compatible with Windows and Linux operating systems due to the cross compatibility of the RUST language. With the FBI releasing the FLASH warning, it is important to assess, understand and prepare for this variant as it evolves.
FBI FLASH report can be found here: https://www.ic3.gov/Media/News/2022/220420.pdf