BlackCat Ransomware
March 2, 2022
Topics
- Ransomware
A ransomware group using Rust programming language and with ties to DarkSide & BlackMatter has been increasing their activity as many organizations have fallen victim to their ransomware.
March 2, 2022
Topics
A ransomware group using Rust programming language and with ties to DarkSide & BlackMatter has been increasing their activity as many organizations have fallen victim to their ransomware.
PerimeterWatch’s Threat Intelligence Team has been tracking a newcomer into the ransomware scene. The group calls themselves ALPHV, while security researchers have dubbed them BlackCat and has been active since late 2021. They operate as a ransomware-as-a-service (RaaS) operation, where they have been aggressively recruiting affiliates from other ransomware groups such as REvil, DarkSide, and BlackMatter. The group practices triple extortion technique where the group not only encrypts and threatens to release stolen sensitive data, but also, they threaten to launch denial-of-service (DDoS) attacks if their demands are not met. BlackCat is also considered to be the first professional cybercrime group to create and use a ransomware strain written in the Rust programming language.
The BlackCat ransomware was discovered actively promoting themselves on Russian-language hack forums. The malware developers call the ransomware ALPHV, but due to their icon showing an image of black cat on their website, researchers of dubbed the malware BlackCat. The representative of BlackCat has been advertising their RaaS on underground forums (XSS and Exploit), inviting other criminals to join ransomware attacks on large companies. The attacker claims that the malware can encrypt data on systems running Windows, Linux and VMware ESXi, and partners will receive from 80% to 90% of the final ransom, depending on the total amount that will be received from the victims.
According to DarkWeb forums, many believed that the creator of BlackCat had ties to the REvil ransomware gang or to the DarkSide/BlackMatter group. However, recently the BlackCat group has confirmed that they are former affiliates of the DarkSide/BlackMatter ransomware operation, but many believe they are former members. DarkSide was the ransomware gang responsible for the Colonial Pipeline cyber-attack. After this incident, the group reformed themselves as BlackMatter due to the pressure from law enforcement agencies. However, the BlackMatter ransomware is now “dead” as a vulnerability was discovered by a research group. After the failure of BlackMatter, the group reorganized and hired new developers and returned as BlackCat.
The BlackCat ransomware has gained traction and has amassed myriads of victims. The popularity of the ransomware is due to it written in Rust programming language. While Rust is not typically used to write malware, it has gradually gained popularity due to Rust being a much more secure programming language compared to C and C++. Since Rust is secure, it will be difficult to find coding weaknesses, thus making it hard to analyze. By using Rust, BlackCat operators can compile it against various operating system architectures. Rust is a customizable programming language, which means that they have the ability to pivot and individualize attacks. The BlackCat ransomware has been dubbed the most sophisticated ransomware to date, due to it being highly customizable, with different encryption methods and options allowing for attacks on a wide range of corporate environments.
While BlackCat members have claimed to be affiliates of DarkSide/BlackMatter, it is more likely that they are the members themselves based on their activity. DarkSide was infamous for their attack on the Colonial Pipeline, a critical infrastructure. That attack forced them to shut down and rebrand. In February 2022, the BlackCat ransomware group was responsible for the attack on oil supplier and distribution companies, leading to supply chain problems. Oiltanking, a German petrol distributor, and Mabanaft GmbH, and oil supplier suffered a ransomware attack, thus affecting the fuel supply chain and caused gas shortages. The similarities surely indicate the relationship between DarkSide and BlackCat.
The BlackCat ransomware is a highly sophisticated malware and has been gaining traction in recent months. Their victim count continues to grow, and organizations need to be aware of their activity to better protect themselves from any potential attacks. Organizations must practice good cyber hygiene to better secure themselves from ransomware threats. Perimeter Watch recommends organizations:
Educate employees on various tactics of cybercriminals on how they launch attacks.
id7seexjn4bojn5rvo4lwcjgufjz7gkisaidckaux3uvjc7l7xrsiqad[.onion]
sty5r4hhb5oihbq2mwevrofdiqbgesi66rvxr5sr573xgvtuvr4cs5yd[.onion]
htnpafzbvddr2llstwbjouupddflqm7y7cr7tcchbeo6rmxpqoxcbqqd[.onion]
aoczppoxmfqqthtwlwi4fmzlrv6aor3isn6ffaiic55wrfumxslx3vyd[.onion]
alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad[.onion]
2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid[.onion]
zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd[.onion]
mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd[.onion]
f815f5d6c85bcbc1ec071dd39532a20f5ce910989552d980d1d4346f57b75f89
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40
74464797c5d2df81db2e06f86497b2127fda6766956f1b67b0dcea9570d8b683
4e18f9293a6a72d5d42dad179b532407f45663098f959ea552ae43dbb9725cbf
1af1ca666e48afc933e2eda0ae1d6e88ebd23d27c54fd1d882161fd8c70b678e
15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
c8b3b67ea4d7625f8b37ba59eed5c9406b3ef04b7a19b97e5dd5dab1bd59f283
bd337d4e83ab1c2cacb43e4569f977d188f1bb7c7a077026304bf186d49d4117
7b2449bb8be1b37a9d580c2592a67a759a3116fe640041d0f36dc93ca3db4487
38834b796ed025563774167716a477e9217d45e47def20facb027325f2a790d1
2cf54942e8cf0ef6296deaa7975618dadff0c32535295d3f0d5f577552229ffc
28d7e6fe31dc00f82cb032ba29aad6429837ba5efb83c2ce4d31d565896e1169
0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6
731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161
59868f4b346bd401e067380cac69080709c86e06fae219bfb5bc17605a71ab3f
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83
7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e
cefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae