Ransomware Q2 & Q3 Report is live now!

All about BlackCat (ALPHV)

Posted on Jul 14, 2022 | Updated on Sep 06, 2022 | By Priya Ravindran

Did you know that the BlackCat ransomware group breached 60+ organizations in a single month? Be it healthcare, public health, government, or energy - the group has stopped at nothing, with ransom demands ranging from $400,000 to $3 million. Our research shows that the BlackCat group exploits vulnerabilities in Windows operating systems and servers, Exchange Servers, and Secure Mobile Access products. Read on to know how CSW can help you ward off such attacks.

 

BlackCat, also known as AlphaV, ALPHV, AlphaVM, ALPHV-ng or Noberus, is a ransomware group that garnered the tag “Most Sophisticated Ransomware of 2021”, within two months of its public footprint. Since being first spotted in November 2021, the BlackCat group has slowly made its way to the top of the charts. Researchers have also suggested that the group might have strong connections with Revil, DarkSide, BlackMatter, and Conti groups.

 

Recent Updates

The BlackCat group has been constantly adding victims to its dark leak site. Read more about BlackCat ransomware attacks.

 

BlackCat - A cheat sheet

  1. BlackCat has the methods to exploit five vulnerabilities - CVE-2016-0099, CVE-2019-7481, CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523.

  2. Interestingly, three vulnerabilities are of high severity. Although not of the critical severity category, they need to take precedence in the patching process owing to the associated threat context.

  3. CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523 are ProxyShell vulnerabilities known for their dangerous exploitation in vulnerability chaining attacks and have multiple threat actor associations.

  4. CVE-2016-0099 is a six-year-old privilege escalation vulnerability in older versions of Microsoft Windows still widely used.

  5. CVE-2019-7481 is an SQL injection vulnerability in SonicWall Secure Remote Access devices that have reached their end of life. With no active support from the vendor, this vulnerability needs extra attention or a complete version overhaul.

  6. The ransomware is deployed by APT groups FIN7, FIN12, DEV-0504, and DEV-0237 to intensify their attacks.

How does BlackCat attack

Below, we outline the group’s attack techniques and tactics.

Reconnaissance: TA0043

  • T1595: Active Scanning

  • T1589.001: Gather Victim Identity Information (Credentials)

Initial Access: TA0001

  • T1078: Valid Accounts

    • BlackCat leverages compromised credentials to enter into networks.

  • T1190: Exploit Public-Facing Application

    • Exploits Unpatched Microsoft Exchange Servers (ProxyShell CVEs)

Persistence: TA0003

  • T1098: Account Manipulation

    • Creates new users and adds them to the local administrator group.

Privilege Escalation: TA0004

  • TA1548.002: Abuse Elevation Control Mechanism: Bypass User Account Control

    • Built-in privilege escalation (UAC bypass, Masquerade_PEB, CVE-2016-0099)

Defense Evasion: TA0005

  • T1564: Hide Artifacts

    • Notable capabilities and characteristics observed include evasive tactics such as masking a tampered DLL to make it seem legitimate.

Credential Access: TA0006

  • T1003.001: OS Credential Dumping: LSASS Memory, T1003.004: OS Credential Dumping: LSA Secrets.

    • Creates dump file of LSASS process to steal credentials via malware or task manager.

Discovery: TA0007

  • T1082: System Information Discovery, T1135: Network Share Discovery

    • Executes cmd.exe and net.exe to collect system and network information.

  • T1018: Remote System Discovery

    • Uses WMIC and Mounting network shares to enumerate remote systems.

  • T1087.002: Account Discovery: Domain Account, T1487: Domain Trust Discovery.

    • Uses ADFind (S0552) and ADRecon to gather Active Directory environment information.

  • T1057: Process Discovery, T1083: File & Directory Discovery.

Lateral Movement: TA0008

  • T1563.002: Remote Service Hijacking: RDP Hijacking

    • Utilizes Remote Desktop Client to sign into target devices.

  • T1570: Lateral Tool Transfer

    • BlackCat has been observed using SMB to copy and launch the Total Deployment Software administrative tool, allowing remote automated software deployment.

Collection: TA0009

  • T1005: Data from Local System

    • To steal intellectual property, the attackers targeted and collected data from SQL databases.

Command & Control: TA0011

  • T1090.003: Multi-hop Proxy

    • Disguises the source of malicious traffic by chaining together multiple proxies.

Exfiltration: TA0010

  • T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage

    • Used both MEGAsync and Rclone, which were renamed as legitimate Windows processes (for example, winlogon.exe, mstsc.exe) to exfiltrate sensitive data.

Impact: TA0040

  • T1486: Data Encrypted for Impact

    • BlackCat used PSExec to distribute ransomware and encrypt files.

    • BlackCat employed the Double Extortion technique.

  • T1489: Service Stop, T1490: Inhibit System Recovery

    • BlackCat ransomware stops operational services and obstructs recovery attempts.


The Ransom tactic

The BlackCat group demands ransom payments in Monero or Bitcoins (for an additional fee). Ransom demands ranging from $400,000 to $3 million are typical of the group. Interestingly, the ransom notes used are customized for every victim, sometimes with a unique data leak site, ensuring complete privacy for negotiations. On top of this, the gang’s payment site is controlled by an access key, ensuring negotiation sites cannot be accessed even in the event of a ransomware code leak. 

 

Interesting Features

The backbone of the ransomware group is a set of highly-customizable features that allow for sophisticated attacks across a range of environments.

  • Usage of the Rust framework, a new trend that is picking up in the threat circle, brings additional stability and integration possibilities.

  • The malware code is entirely command-line driven and human-operated, introducing a high degree of configurability.

  • Ransomware is capable of using four different encryption methods on victim data.

  • The code is built for cross-platform deployment, with support for Linux and Windows operating systems, and VMWare’s ESXi environment.

The BlackCat is yet another affiliate of the Ransomware-as-a-service practice, relying on compromised or privileged credentials and weaknesses in code to launch their attacks. This is the first ransomware with its code completely written in the Rust programming language, allegedly having in-built safety measures. The group is known to use methods enabling data encryption at alarming speeds, giving victims lesser chances of preventing extended damage. Its data leak site interestingly allows data search by victim name, passwords, and even confidential documents.

 

How dangerous is BlackCat Ransomware

While not all cyber attacks of the BlackCat group have come to light, the FBI released a warning in April 2022, declaring that the group was involved in successful attacks against 60 organizations in the previous month alone. The group has been observed targeting institutions regardless of sector — including healthcare, public health, government, and energy — across the US, Australia, Germany, and India, amongst others.

Exploits easily overlooked exposures: From our research into the BlackCat group’s arsenal, we observe that it has not shied away from using exposures that exist in many organizational networks, and are categorized as “low risk” most often.

  • Local Sockets: A socket, or to break it down - a combination of ports and IP addresses, was leveraged to execute multiple instances of the ransomware simultaneously, speeding up the encryption process.

  • Open Ports: Dynamic ports that are not commonly used, and are likely to be easily available. In one instance, the group is known to have established a server via the port to listen in on the machine’s activities.

  • Old Vulnerabilities: Old vulnerabilities (a 2016 CVE in Microsoft Windows) that organizations might not prioritize amidst the influx of more recent threats.

  • End-of-life software: Unpatched vulnerabilities in end-of-life software (a 2019 SQL injection flaw in SonicWall Secure Remote Access) to enter into vulnerable networks. With such devices not supported by their vendors anymore, these offer permanent attack vectors for attackers with malicious motives. 

APT Group/Threat Associations: Threat actors that favored ransomware groups like Ryuk or Revil are now deploying the BlackCat ransomware payload in their attacks. APT groups like DEV-0504, DEV-0237 and FIN12 have been observed using the payload. Researchers have also observed FIN7 intrusions right before BlackCat ransomware incidents, leading to believe that the threat actor could also be using the ransomware as a tool. 

Adopts the Triple Extortion Method: The BlackCat ransomware group has adopted the latest threat in the ransomware scene: the new and emerging triple extortion method. Attackers steal data first from the local machine and cloud servers and then execute the ransomware. Further, they introduce additional pressure on the victim via methods such as DDoS attacks or data leaks. The group is also known to put up extorted data for sale in dark web forums.

 

The BlackCat ransomware group was called out in CSW’s Q1 2022 Ransomware Index Report as one of the new additions to our ransomware database, along with a few of the above noteworthy trends. 

 

Recent BlackMatter/AlphaV attacks: Here is a look into some of the publicly disclosed attacks by BlackCat.     

Organization

Industry

Region

Timeline

Impact

Gestore dei Servizi Energetici SpA (GSE) Energy  Agency Italy September 2022 Dark web data leak site claims to have stolen roughly 700GB of files
Accelya Airline Technology - August 2022 Emails, worker contracts and more stolen
Automotive Supplier Automotive - August 2022 Three ransomware gang attacks within 2 weeks leading to data encryption and erase of traces
Creos Luxembourg S.A. Energy Europe July 2022 Customer portals of Encevo and Creos became unavailable

Bandai Namco

Gaming

Japan

July 2022

Not disclosed

Hydra-Electric

Aerospace sensor Maker

Burbank, California

Unknown

Not disclosed

Adler Display

Marketing & Advertising

Baltimore, Maryland

Unknown

Not disclosed

Sinclair Wilson

Accounting and wealth management services

Australia

Unknown

Not disclosed

Dusit D2 Kenz Hotel

Hospitality

Dubai

Unknown

Not disclosed

COUNT+CARE Gmbh 

Information technology and services 

Germany

Unknown

Not disclosed

Florida International University

Education

US

Unknown

Not disclosed

University of North Carolina A&T

Education

US

Unknown

Not disclosed

University of Pisa

Education

Italy

June 2022

Not disclosed

Federal state Carinthia

Government

Austria

May 2022

3000 systems taken offline; $5 million ransom demanded

Swissport

Aviation services

Switzerland

Feb 2022

1.6TB data extorted with a portion leaked

OilTanking GmbH and another oil company

Energy

Germany

Jan 2022

233 gas stations across Germany affected

Moncler Group

Fashion

Italy

Dec 2021 - Jan 2022

Temporary outage; data leak

Enterprise Resource Planning (ERP) services provider

Consumer

Middle East

Unknown

Not disclosed

Oil, gas, mining, and construction company

Energy

South America

Unknown

Not disclosed

 

How to detect BlackCat in your environment

Here are the indicators of compromise that can help you detect a BlackCat ransomware attack.

SHA256 Hashes: C2 IPs:

731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161

f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb

731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161

80dd44226f60ba5403745ba9d18490eb8ca12dbc9be0a317dd2b692ec041da28

89.44.9.243

37.120.238.58

45.153.160.140

94.232.41.155

142.234.157.246

152.89.247.207

23.106.223.97

51.83.57.149

45.134.20.66

198.144.121.93

139.60.161.161

5.255.100.242

185.220.102.253

89.163.252.230

146.0.77.15

 

What can organizations do to prevent a BlackCat attack

The BlackCat ransomware group is soon becoming one of the favorite payloads of many threat actors. With this in mind, here are some measures organizations can adopt to stay safe from a ransomware attack. 

  • Patch the vulnerabilities used by the group, and ensure no unused ports/instances are left hanging.

  • Set up multi-factor authentication, implement session timeouts, and practice good password hygiene. 

  • Perform a regular Attack Surface Management scan to discover exposures in your assets, domain controllers, active directories, servers, and all cloud-connected deployments. 

  • Get your systems pentested to identify if vulnerable via unidentified exposures.

  • Regularly backup data in secure storage devices.

How can CSW’s Ransomware Assessment help

CSW has been researching ransomware groups and the methods they use to invade networks since 2019. Our comprehensive database of 310 vulnerabilities (and counting) used by ransomware groups is the most extensive compilation in the industry today. CSW’s expertise in ransomware research translates into the Ransomware Assessment service that can help organizations understand:

  • How exposed you are to ransomware

  • Your known and unknown internet exposures

  • Critical exposures and what you should fix first

 

Sign up for CSW’s Ransomware Assessment today. Ensure you are not the next victim on a dark leak site.

 

Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito