Did you know that the BlackCat ransomware group breached 60+ organizations in a single month?

Healthcare, public health, government, or energy—the group has stopped at nothing, and has made ransom demands ranging from $400,000 to $3 million USD. Our research shows that the BlackCat group exploits vulnerabilities in Windows operating systems and servers, exchange servers, and Secure Mobile Access products. Read on to learn how Securin can help you ward off such attacks.

BlackCat, also known as AlphaV, ALPHV, AlphaVM, ALPHV-ng, or Noberus, is a ransomware group that garnered the tag “Most Sophisticated Ransomware of 2021” within two months of its public footprint. Since being first spotted in November 2021, the BlackCat group has slowly made its way to the top of the charts. Researchers have also suggested that the group might have strong connections with REvil, DarkSide, BlackMatter, and Conti groups.

Recent Updates

The BlackCat group has been constantly adding victims to its dark leak site.

BlackCat: A Cheat Sheet

  1. BlackCat has the methods to exploit five vulnerabilities – CVE-2016-0099, CVE-2019-7481, CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523.

  2. Interestingly, three vulnerabilities are of high severity. Although not of the critical severity category, they need to take precedence in the patching process owing to the associated threat context.

  3. CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523 are ProxyShell vulnerabilities known for their dangerous exploitation in vulnerability chaining attacks and have multiple threat actor associations.

  4. CVE-2016-0099 is a six-year-old privilege escalation vulnerability in older versions of Microsoft Windows, which are still widely used.

  5. CVE-2019-7481 is an SQL injection vulnerability in SonicWall Secure Remote Access devices that have reached their end of life. With no active support from the vendor, this vulnerability needs extra attention or a complete version overhaul.

  6. The ransomware is deployed by APT groups: FIN7, FIN12, DEV-0504, and DEV-0237, to intensify their attacks.

How Does BlackCat Attack?

Below, we outline the group’s attack techniques and tactics.

Reconnaissance: TA0043

  • T1595: Active Scanning

  • T1589.001: Gather Victim Identity Information (Credentials)

Initial Access: TA0001

  • T1078: Valid Accounts

    • Leverages compromised credentials to enter networks

  • T1190: Exploit Public-Facing Application

    • Exploits unpatched Microsoft Exchange Servers (ProxyShell CVEs)

Persistence: TA0003

  • T1098: Account Manipulation

    • Creates new users and adds them to the local administrator group

Privilege Escalation: TA0004

  • TA1548.002: Abuse Elevation Control Mechanism: Bypass User Account Control

    • Uses built-in privilege escalation (UAC bypass, Masquerade_PEB, CVE-2016-0099)

Defense Evasion: TA0005

  • T1564: Hide Artifacts

    • Employs evasive tactics such as masking a tampered DLL to make it seem legitimate

Credential Access: TA0006

  • T1003.001: OS Credential Dumping: LSASS Memory, T1003.004: OS Credential Dumping: LSA Secrets

    • Creates dump file of LSASS process to steal credentials via malware or task manager

Discovery: TA0007

  • T1082: System Information Discovery, T1135: Network Share Discovery

    • Executes cmd.exe and net.exe to collect system and network information

  • T1018: Remote System Discovery

    • Uses WMIC and mounting network shares to enumerate remote systems

  • T1087.002: Account Discovery: Domain Account, T1487: Domain Trust Discovery

    • Uses ADFind (S0552) and ADRecon to gather Active Directory environment information

  • T1057: Process Discovery, T1083: File & Directory Discovery

Lateral Movement: TA0008

  • T1563.002: Remote Service Hijacking: RDP Hijacking

    • Utilizes remote desktop client to sign into target devices

  • T1570: Lateral Tool Transfer

    • Uses SMB to copy and launch the Total Deployment Software administrative tool, allowing remote automated software deployment

Collection: TA0009

  • T1005: Data from Local System

    • To steal intellectual property, attackers target and collect data from SQL databases

Command & Control: TA0011

  • T1090.003: Multi-hop Proxy

    • Disguises the source of malicious traffic by chaining together multiple proxies

Exfiltration: TA0010

  • T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage

    • Uses both MEGAsync and Rclone, which were renamed as legitimate Windows processes (for example, winlogon.exe, mstsc.exe) to exfiltrate sensitive data

Impact: TA0040

  • T1486: Data Encrypted for Impact

    • Uses PSExec to distribute ransomware and encrypt files

    • Employs the Double Extortion technique

  • T1489: Service Stop, T1490: Inhibit System Recovery

    • Stops operational services and obstructs recovery attempts

The Ransom Tactic

The BlackCat group demands ransom payments in Monero or Bitcoins (for an additional fee). Ransom demands ranging from $400,000 to $3 million USD are typical of the group. Interestingly, the ransom notes used are customized for every victim, sometimes with a unique data leak site, ensuring complete privacy for negotiations. In addition, the gang’s payment site is controlled by an access key, ensuring negotiation sites cannot be accessed even in the event of a ransomware code leak.

Interesting Features

The backbone of the ransomware group is a set of highly-customizable features that allow for sophisticated attacks across a range of environments.

  • Usage of the Rust framework, a new trend that is picking up in the threat circle, brings additional stability and integration possibilities.

  • The malware code is entirely command-line driven and human-operated, introducing a high degree of configurability.

  • Ransomware is capable of using four different encryption methods on victim data.

  • The code is built for cross-platform deployment, with support for Linux and Windows operating systems, and VMWare’s ESXi environment.

BlackCat is yet another affiliate of the Ransomware-as-a-Service (RaaS) practice, relying on compromised or privileged credentials and weaknesses in code to launch their attacks. This is the first ransomware with its code completely written in the Rust programming language, allegedly having in-built safety measures. The group is known to use methods enabling data encryption at alarming speeds, giving victims lesser chances of preventing extended damage. Its data leak site allows data searches by the victim’s name, passwords, and even confidential documents.

How Dangerous is BlackCat Ransomware?

While not all cyberattacks of the BlackCat group have come to light, the FBI released a warning in April 2022, declaring that the group was involved in successful attacks against 60 organizations in the previous month. The group has been observed targeting institutions regardless of sector—including healthcare, public health, government, and energy—across the US, Australia, Germany, and India.

Exploits Overlooked Exposures: From our research into the BlackCat group’s arsenal, we observe that it has not shied away from using exposures in many organizational networks, which are typically categorized as “low risk” vulnerabilities.

  • Local sockets: A socket, or a combination of ports and IP addresses, was leveraged to execute multiple instances of the ransomware simultaneously, speeding up the encryption process.

  • Open ports: Dynamic ports that are not commonly used, and are likely to be easily available, are targets. In one instance, the group is known to have established a server via the port to listen in on the machine’s activities.

  • Old vulnerabilities: The group targets old vulnerabilities (a 2016 CVE in Microsoft Windows) that organizations might not prioritize amidst the influx of more recent threats.

  • End-of-life software: BlackCat uses unpatched vulnerabilities in end-of-life software (a 2019 SQL injection flaw in SonicWall Secure Remote Access) to enter into vulnerable networks. Devices that are no longer supported by their vendors offer permanent attack vectors for hackers with malicious motives.

Has APT Group/Threat Associations: Threat actors that favor ransomware groups like Ryuk or REvil are now deploying the BlackCat ransomware payload in their attacks. APT groups like DEV-0504, DEV-0237, and FIN12 have been observed using the payload. Researchers have also observed FIN7 intrusions right before BlackCat ransomware incidents, leading us to believe that the threat actor could also be using the ransomware as a tool.

Adopts the Triple Extortion Method: The BlackCat ransomware group has adopted the latest threat in the ransomware scene: the new and emerging triple extortion method. Attackers steal data from the local machine and cloud servers and then execute ransomware. Then, they introduce additional pressure on the victim via DDoS attacks or data leaks. The group is also known to put up extorted data for sale in dark web forums.

The BlackCat ransomware group was called out in Securin’s Q1 2022 Ransomware Index Report as one of the new additions to our ransomware database, along with some noteworthy trends.

Recent BlackMatter/AlphaV attacks: Here is a look into some of the publicly disclosed attacks by BlackCat.

Organization

Industry

Region

Timeline

Impact

Gestore dei Servizi Energetici SpA (GSE) Energy Italy September 2022 Dark web data leak site claims to have stolen roughly 700GB of files
Accelya Airline Technology August 2022 Emails, worker contracts, and other data stolen
Automotive supplier Automotive August 2022 Three ransomware gang attacks within 2 weeks leading to data encryption and erasure of traces
Creos Luxembourg S.A. Energy Europe July 2022 Customer portals of Encevo and Creos became unavailable

Bandai Namco

Gaming

Japan

July 2022

Not disclosed

Hydra-Electric

Aerospace Sensor Manufacturing

Burbank, California

Unknown

Not disclosed

Adler Display

Marketing & Advertising

Baltimore, Maryland

Unknown

Not disclosed

Sinclair Wilson

Accounting & Wealth Management

Australia

Unknown

Not disclosed

dusitD2 Kenz Hotel

Hospitality

Dubai

Unknown

Not disclosed

COUNT+CARE Gmbh

Information Technology

Germany

Unknown

Not disclosed

Florida International University

Education

US

Unknown

Not disclosed

University of North Carolina A&T

Education

US

Unknown

Not disclosed

University of Pisa

Education

Italy

June 2022

Not disclosed

Federal State of  Carinthia

Government

Austria

May 2022

3000 systems taken offline; $5 million ransom demanded

Swissport

Aviation

Switzerland

Feb 2022

1.6TB data extorted with a portion leaked

Oiltanking GmbH and another oil company

Energy

Germany

Jan 2022

233 gas stations across Germany affected

Moncler Group

Fashion

Italy

Dec 2021 – Jan 2022

Temporary outage; data leak

Enterprise Resource Planning (ERP) services provider

Consumer

Middle East

Unknown

Not disclosed

Oil, gas, mining, and construction company

Energy

South America

Unknown

Not disclosed

 

How to Detect BlackCat in Your Environment

Here are the indicators of compromise that can help you detect a BlackCat ransomware attack.

SHA256 Hashes: C2 IPs:

731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161

f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb

731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161

80dd44226f60ba5403745ba9d18490eb8ca12dbc9be0a317dd2b692ec041da28

89.44.9.243

37.120.238.58

45.153.160.140

94.232.41.155

142.234.157.246

152.89.247.207

23.106.223.97

51.83.57.149

45.134.20.66

198.144.121.93

139.60.161.161

5.255.100.242

185.220.102.253

89.163.252.230

146.0.77.15

 

What Can Organizations Do to Prevent a BlackCat Attack?

The BlackCat ransomware group is soon becoming one of the favorite payloads of many threat actors. With this in mind, here are some measures that organizations can adopt to stay safe from a ransomware attack.

  • Patch the vulnerabilities used by the group, and ensure no unused ports/instances are left hanging.

  • Set up multi-factor authentication, implement session timeouts, and practice good password hygiene.

  • Perform a regular Attack Surface Management scan to discover exposures in your assets, domain controllers, active directories, servers, and all cloud-connected deployments.

  • Perform a penetration test on your systems to identify if they are vulnerable via unidentified exposures.

  • Regularly back up data in secure storage devices.

How Can Securin’s Ransomware Assessment Help?

Securin has been researching ransomware groups and the methods they use to invade networks since 2019. Our comprehensive database of more than 310 vulnerabilities (and counting) used by ransomware groups is the most extensive compilation in the industry today. Securin’s expertise in ransomware research translates into our Ransomware Assessment service that can help organizations understand the following facets of their cybersecurity environment:

  • Exposure to ransomware

  • Known and unknown internet exposures

  • Critical exposures and what needs to be fixed first

 

Sign up for Securin’s ransomware assessment today. Ensure you are not the next victim on a dark leak site.

 

Share This Post On