The Rise of BlackCat Ransomware: A Dark Tale of Cybercrime
Research and Analysis • Mar 20, 2023
We use cookies to improve your experience. Do you accept?
Research and Analysis • Mar 20, 2023
Origin: November 2021
Aliases: ALPHV-ng, Noberus, ALPHV, AlphaV, AlphaVM
Targeted Sectors: Finance, Legal, Technology, Energy, Healthcare, Manufacturing
Targeted Regions: North America, Oceania, Eastern Europe, Western Europe
Motivation: Financial gain / Monetary benefits
Common Infection Vectors: Access credentials
BlackCat (aka AlphaV, or ALPHV) ransomware was first observed in mid-November 2021. The ransomware group quickly rose to prominence for its sophisticated tactics, such as triple extortion. A report from April 2022, roughly five months from detection, suggests that BlackCat had compromised around 69 organizations, it grew to around 173 by September 2022. It is marketed as ALPHV on cybercrime forums by its developers, though called BlackCat by experts owing to the display of a picture of a black cat on its ransom payment site.
After a few months of its discovery, the group declared that its members are from the notorious BlackMatter/DarkSide ransomware operation, responsible for the high-profile raid on the Colonial Pipeline. It is one of the first major ransomware built from scratch in the Rust programming language and thus supports execution on multiple platforms, including Windows, Linux systems (Debian, ReadyNAS, Ubuntu, Synology), and VMWare ESXi.
BlackCat's operators compromise an organization's network by leveraging stolen access credentials. After a successful intrusion, BlackCat silently collects information, maps the entire network, and manipulates accounts for further access. Based on the information collected, attackers would perform additional actions such as disabling the security systems and deleting the backups. At last, the ransomware is executed on the targeted systems and drops ransom notes on their unsuspecting victims.
In January 2023, security experts stumbled across a creative approach by the ransomware operators to blackmail victims and demand ransom. The group created a replica of the victim's site and posted the stolen data on it when its ransom demand was not met.
In most cases, the BlackCat operators are observed to be taking advantage of these five vulnerabilities:
CVE-2016-0099: A flaw in Secondary Logon service in Windows OS
CVE-2019-7481: A bug in SonicWall SMA100 affecting version 9.0.0.3 and earlier
CVE-2021-31207: Microsoft Exchange Server Security Feature Bypass Vulnerability
CVE-2021-34473: Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-34523: Microsoft Exchange Server Elevation of Privilege Vulnerability
The BlackCat operators use multiple tools to support their attacks across the different phases of the cyber kill chain.
ConnectWise tool to maintain access to the infected machine.
AdFind, ADRecon, and SoftPerfect to gain access to the victim’s domain accounts.
Process Hacker and Mimikatz for credential access and dump.
For lateral movement, it uses PSExec, RDP, and MobaXterm.
In the exfiltration stage, it uses 7zip, RClone, MegaSync, and WinSCP.
Since November 2021, it is using a dedicated exfiltration tool called ExMatter. In September 2022, this tool was heavily upgraded with several capabilities, such as support for FTP, Socks5, options for GPO deployment, and heavy code refactoring to attain stealth capabilities. Additionally, the ransomware operators deployed a new malware named, Eamfo. It was designed to target credentials saved in Veeam backups.
BlackCat operates as a Ransomware-as-a-service (RaaS) business model and recruits its partners and affiliates via posts on top cybercrime forums. The group reportedly offers the affiliates to keep 80-90% of the ransom payment, while the rest goes to the BlackCat operators, which added to its popularity in the underground marketplace.
After the ransomware group declared its rebranding effort from DarkSide to BlackCat, Cisco's Talos threat intelligence unit confirmed the same in their report. It associated a domain name and IP address used in a BlackCat operation to an earlier BlackMatter ransomware attack. In an interview, a BlackCat representative admitted that BlackMatter, REvil, LockBit, and Maze are all connected in some way, possibly as advertisers or affiliates.
In June, Microsoft reported DEV-0237 and DEV-0504 threat actor groups that were previously using Ryuk, Conti, or other malware switched to BlackCat.
Organizations in the U.S. faced numerous attacks from BlackCat, followed by Australia, Europe, and Asia-Pacific. Leak site data from BlackCat suggests that, in terms of industry, finance, and professional services are the most hit, followed by legal services. Furthermore, it has also targeted organizations in the technology, construction, energy and utilities, materials, healthcare, and manufacturing sectors.
Inetum Group, a French IT services provider, was reportedly first known target of the BlackCat ransomware assault in 2021.
In January, Italian luxury fashion brand Moncler declared that it had suffered a security breach in December by the BlackCat ransomware operators.
In February, BlackCatcybercriminals claimed responsibility for the attack on Swissport, announcing that they plan to sell 1.6 TB of data dump to a prospective buyer.
In April, North Carolina A&T State University was targeted by attackers using the BlackCat ransomware, taking down its VPN, single sign-on websites, and Jabber, among others. The same month, the ransomware group targeted Florida International University, demanding a $25 million ransom.
In May, BlackCat demanded $5 million (in BTC) in ransom from the Austrian state of Carinthia. The group also targeted Regina Public Schools and allegedly pilfered 500 GBs of files.
In June, it added the city of Alexandria to its victim list. Later that month, the University of Pisa in Italy was allegedly held to ransom for $4.5 million.
In July, the publisher of Elden Ring and Soulcalibur Bandai Namco was allegedly targeted by the group that affected the private information of its employees and customers.
In August, the ransomware group took credit for targeting Creos, an energy company from Luxembourg. An automotive supplier was also hit with three separate ransomware (Lockbit, Hive, and BlackCat) attacks within a duration of 2 weeks. Later, major airline technology provider Accelya was attacked, impacting some of its systems.
In September, the BlackCat ransomware claimed responsibility for an attack on Energy Services Manager SpA or GSE.
In October, ransomware operators claimed to have breached NJVC, an IT and defense contractor firm from the U.S.
In December, Empresas Públicas de Medellín (EPM) was hit by a cyberattack. Later, JAKKS Pacific (a leading designer, manufacturer, and marketer of toys) became the victim of Hive and BlackCat.
In January, the BlackCat reportedly targeted Grupo Estrategas EMM and NextGen Healthcare. Around the month's end, ransomware operators claimed to steal 2 TB of sensitive data from Solar Industries India and also added Instituto Federal Do Pará (IFPA) to its data leak site.
In February, the BlackCat group dumped 6 GB of data stolen from Munster Technological University. Later, the Lehigh Valley Health Network was targeted by the ransomware group.
In March, the group was observed leaking the data stolen from Pennsylvania-based Lehigh Valley Health Network.
To start with, prioritize fixing vulnerabilities, specifically CVE-2016-0099, CVE-2019-7481, CVE-2021-31207, CVE-2021-34473, CVE-2021-34523, that the ransomware group has an interest in exploiting. To mitigate risk from BlackCat operators, security teams are recommended to establish a stronger security framework with multi-layered defense architecture. Ensure no unused ports are left open, set up multi-factor authentication, and implement session timeouts.
Furthermore, security teams must automatically enrich, analyze, and operationalize threat intel around ransomware threats such as BlackCat. Cyware’s advanced threat intel platform Intel Exchange (CTIX) offers advanced confidence scoring, industry-leading correlation engine, and automated actioning to proactively stop such threats. As a reliable threat intelligence solution, Intel Exchange (CTIX) helps gather and leverage field-validated intel, streamline intel sharing and collaboration, and improve cyber resilience against a variety of threats.
Developed by advanced threat actors, BlackCat represents a highly sophisticated RaaS model for a well-known threat that leaves a lasting impact on its victims. The use of Rust language makes the ransomware a potential threat to various operating systems. Moreover, it's extortion techniques to pressurize victims into coughing up the ransom are unparalleled to other major threat groups out there. The group is currently active so you must keep your guards up and ready, 24*7.
URLs
id7seexjn4bojn5rvo4lwcjgufjz7gkisaidckaux3uvjc7l7xrsiqad[.onion]
sty5r4hhb5oihbq2mwevrofdiqbgesi66rvxr5sr573xgvtuvr4cs5yd[.onion]
htnpafzbvddr2llstwbjouupddflqm7y7cr7tcchbeo6rmxpqoxcbqqd[.onion]
aoczppoxmfqqthtwlwi4fmzlrv6aor3isn6ffaiic55wrfumxslx3vyd[.onion]
alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad[.onion]
2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid[.onion]
zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd[.onion]
mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd[.onion]
SHA256
f815f5d6c85bcbc1ec071dd39532a20f5ce910989552d980d1d4346f57b75f89
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40
74464797c5d2df81db2e06f86497b2127fda6766956f1b67b0dcea9570d8b683
4e18f9293a6a72d5d42dad179b532407f45663098f959ea552ae43dbb9725cbf
1af1ca666e48afc933e2eda0ae1d6e88ebd23d27c54fd1d882161fd8c70b678e
15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
c8b3b67ea4d7625f8b37ba59eed5c9406b3ef04b7a19b97e5dd5dab1bd59f283
bd337d4e83ab1c2cacb43e4569f977d188f1bb7c7a077026304bf186d49d4117
7b2449bb8be1b37a9d580c2592a67a759a3116fe640041d0f36dc93ca3db4487
38834b796ed025563774167716a477e9217d45e47def20facb027325f2a790d1
2cf54942e8cf0ef6296deaa7975618dadff0c32535295d3f0d5f577552229ffc
28d7e6fe31dc00f82cb032ba29aad6429837ba5efb83c2ce4d31d565896e1169
0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6
731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161
59868f4b346bd401e067380cac69080709c86e06fae219bfb5bc17605a71ab3f
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83
7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e
Cefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae
67d1f4077e929385cfd869bf279892bf10a2c8f0af4119e4bc15a2add9461fec
0a609fa2db910615b2c1ad235ca46562ff4034800c44802a63a28826669a7eee
cda37b13d1fdee1b4262b5a6146a35d8fc88fa572e55437a47a950037cc65d40
bacedbb23254934b736a9daf6de52620c9250a49686d519ceaf0a8d25da0a97f
C2 Server Domains
89.44.9[.]243
142.234.157[.]246
45.134.20[.]66
185.220.102[.]253
37.120.238[.]58
152.89.247[.]207
198.144.121[.]93
89.163.252[.]230
45.153.160[.]140
23.106.223[.]97
139.60.161[.]161
146.0.77[.]15
94.232.41[.]155
Filename
http_x64.exe
spider.dll
spider_32.dll
powershell.dll
rpcdump.exe
CheckVuln.bat
Create-share-RunAsAdmin.bat
LPE-Exploit-RunAsUser.bat
RCE-Exploit-RunAsUser.bat
est.bat
runav.bat
amd - Copy.ps1
ipscan.ps1
Run1.ps1
MD5
6c2874169fdfb30846fe7ffe34635bdb
20855475d20d252dda21287264a6d860
82db4c04f5dcda3bfcd75357adf98228
fcf3a6eeb9f836315954dae03459716d
91625f7f5d590534949ebe08cc728380
f5ef5142f044b94ac5010fd883c09aa7
84e3b5fe3863d25bb72e25b10760e861
9f2309285e8a8471fce7330fcade8619
6c6c46bdac6713c94debbd454d34efd9
e7ee8ea6fb7530d1d904cdb2d9745899
815bb1b0c5f0f35f064c55a1b640fca5
861738dd15eb7fb50568f0e39a69e107
9f60dd752e7692a2f5c758de4eab3e6f
09bc47d7bc5e40d40d9729cec5e39d73