All About BlackCat (AlphaV) Ransomware

Did you know that the BlackCat ransomware group breached 60+ organizations in a single month?

Healthcare, public health, government, or energy—the group has stopped at nothing, and has made ransom demands ranging from $400,000 to $3 million USD. Our research shows that the BlackCat group exploits vulnerabilities in Windows operating systems and servers, exchange servers, and Secure Mobile Access products. Read on to learn how Securin can help you ward off such attacks.

BlackCat, also known as AlphaV, ALPHV, AlphaVM, ALPHV-ng, or Noberus, is a ransomware group that garnered the tag “Most Sophisticated Ransomware of 2021” within two months of its public footprint. Since being first spotted in November 2021, the BlackCat group has slowly made its way to the top of the charts. Researchers have also suggested that the group might have strong connections with REvil, DarkSide, BlackMatter, and Conti groups.

Recent Updates

The BlackCat group has been constantly adding victims to its dark leak site. Read more about BlackCat ransomware attacks.

BlackCat: A Cheat Sheet

1. BlackCat has the methods to exploit five vulnerabilities – CVE-2016-0099, CVE-2019-7481, CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523.

2. Interestingly, three vulnerabilities are of high severity. Although not of the critical severity category, they need to take precedence in the patching process owing to the associated threat context.

3. CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523 are ProxyShell vulnerabilities known for their dangerous exploitation in vulnerability chaining attacks and have multiple threat actor associations.

4. CVE-2016-0099 is a six-year-old privilege escalation vulnerability in older versions of Microsoft Windows, which are still widely used.

5. CVE-2019-7481 is an SQL injection vulnerability in SonicWall Secure Remote Access devices that have reached their end of life. With no active support from the vendor, this vulnerability needs extra attention or a complete version overhaul.

6. The ransomware is deployed by APT groups: FIN7, FIN12, DEV-0504, and DEV-0237, to intensify their attacks.

How Does BlackCat Attack?

Below, we outline the group’s attack techniques and tactics.

The Ransom Tactic

The BlackCat group demands ransom payments in Monero or Bitcoins (for an additional fee). Ransom demands ranging from $400,000 to $3 million USD are typical of the group. Interestingly, the ransom notes used are customized for every victim, sometimes with a unique data leak site, ensuring complete privacy for negotiations. In addition, the gang’s payment site is controlled by an access key, ensuring negotiation sites cannot be accessed even in the event of a ransomware code leak.

Interesting Features

The backbone of the ransomware group is a set of highly-customizable features that allow for sophisticated attacks across a range of environments.

• Usage of the Rust framework, a new trend that is picking up in the threat circle, brings additional stability and integration possibilities.

• The malware code is entirely command-line driven and human-operated, introducing a high degree of configurability.

• Ransomware is capable of using four different encryption methods on victim data.

• The code is built for cross-platform deployment, with support for Linux and Windows operating systems, and VMWare’s ESXi environment.

BlackCat is yet another affiliate of the Ransomware-as-a-Service (RaaS) practice, relying on compromised or privileged credentials and weaknesses in code to launch their attacks. This is the first ransomware with its code completely written in the Rust programming language, allegedly having in-built safety measures. The group is known to use methods enabling data encryption at alarming speeds, giving victims lesser chances of preventing extended damage. Its data leak site allows data searches by the victim’s name, passwords, and even confidential documents.

How Dangerous is BlackCat Ransomware?

While not all cyberattacks of the BlackCat group have come to light, the FBI released a warning in April 2022, declaring that the group was involved in successful attacks against 60 organizations in the previous month. The group has been observed targeting institutions regardless of sector—including healthcare, public health, government, and energy—across the US, Australia, Germany, and India.

Exploits Overlooked Exposures: From our research into the BlackCat group’s arsenal, we observe that it has not shied away from using exposures in many organizational networks, which are typically categorized as “low risk” vulnerabilities.

• Local sockets: A socket, or a combination of ports and IP addresses, was leveraged to execute multiple instances of the ransomware simultaneously, speeding up the encryption process.

• Open ports: Dynamic ports that are not commonly used, and are likely to be easily available, are targets. In one instance, the group is known to have established a server via the port to listen in on the machine’s activities.

• Old vulnerabilities: The group targets old vulnerabilities (a 2016 CVE in Microsoft Windows) that organizations might not prioritize amidst the influx of more recent threats.

• End-of-life software: BlackCat uses unpatched vulnerabilities in end-of-life software (a 2019 SQL injection flaw in SonicWall Secure Remote Access) to enter into vulnerable networks. Devices that are no longer supported by their vendors offer permanent attack vectors for hackers with malicious motives.

Has APT Group/Threat Associations: Threat actors that favor ransomware groups like Ryuk or REvil are now deploying the BlackCat ransomware payload in their attacks. APT groups like DEV-0504, DEV-0237, and FIN12 have been observed using the payload. Researchers have also observed FIN7 intrusions right before BlackCat ransomware incidents, leading us to believe that the threat actor could also be using the ransomware as a tool.

Adopts the Triple Extortion Method: The BlackCat ransomware group has adopted the latest threat in the ransomware scene: the new and emerging triple extortion method. Attackers steal data from the local machine and cloud servers and then execute ransomware. Then, they introduce additional pressure on the victim via DDoS attacks or data leaks. The group is also known to put up extorted data for sale in dark web forums.

The BlackCat ransomware group was called out in Securin’s Q1 2022 Ransomware Index Report as one of the new additions to our ransomware database, along with some noteworthy trends.

Recent BlackMatter/AlphaV attacks: Here is a look into some of the publicly disclosed attacks by BlackCat.

How to Detect BlackCat in Your Environment

Here are the indicators of compromise that can help you detect a BlackCat ransomware attack.

What Can Organizations Do to Prevent a BlackCat Attack?

The BlackCat ransomware group is soon becoming one of the favorite payloads of many threat actors. With this in mind, here are some measures that organizations can adopt to stay safe from a ransomware attack.

• Patch the vulnerabilities used by the group, and ensure no unused ports/instances are left hanging.

• Set up multi-factor authentication, implement session timeouts, and practice good password hygiene.

• Perform a regular Attack Surface Management scan to discover exposures in your assets, domain controllers, active directories, servers, and all cloud-connected deployments.

• Perform a penetration test on your systems to identify if they are vulnerable via unidentified exposures.

• Regularly back up data in secure storage devices.

How Can Securin’s Ransomware Assessment Help?

Securin has been researching ransomware groups and the methods they use to invade networks since 2019. Our comprehensive database of more than 310 vulnerabilities (and counting) used by ransomware groups is the most extensive compilation in the industry today. Securin’s expertise in ransomware research translates into our Ransomware Assessment service that can help organizations understand the following facets of their cybersecurity environment:

• Exposure to ransomware

• Known and unknown internet exposures

• Critical exposures and what needs to be fixed first

Sign up for Securin’s ransomware assessment today. Ensure you are not the next victim on a dark leak site.