{"id":7232,"date":"2022-09-06T07:22:38","date_gmt":"2022-09-06T14:22:38","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7232"},"modified":"2023-04-20T01:49:54","modified_gmt":"2023-04-20T08:49:54","slug":"all-about-blackcat-alphav-ransomware","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/all-about-blackcat-alphav-ransomware\/","title":{"rendered":"All About BlackCat (AlphaV) Ransomware"},"content":{"rendered":"
Did you know that the BlackCat ransomware group breached 60+ organizations in a single month?<\/strong><\/p>\n Healthcare, public health, government, or energy\u2014the group has stopped at nothing, and has made ransom demands ranging from $400,000 to $3 million USD. Our research shows that the BlackCat group exploits vulnerabilities in Windows operating systems and servers, exchange servers, and Secure Mobile Access products.\u00a0<\/strong>Read on to learn how Securin can help you ward off such attacks.<\/strong><\/p>\n BlackCat, also known as AlphaV, ALPHV, AlphaVM, ALPHV-ng, or Noberus, is a ransomware group that garnered the tag \u201cMost Sophisticated Ransomware of 2021\u201d within two months of its public footprint. Since being first spotted in November 2021, the BlackCat group has slowly made its way to the top of the charts. Researchers have also suggested that the group might have strong connections with REvil, DarkSide, BlackMatter, and Conti groups.<\/p>\n The BlackCat group has been constantly adding victims to its dark leak site. Read more about BlackCat ransomware attacks<\/a>.<\/p>\n BlackCat has the methods to exploit five vulnerabilities – CVE-2016-0099, CVE-2019-7481, CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523.<\/p>\n<\/li>\n Interestingly, three vulnerabilities are of high severity. Although not of the critical severity category, they need to take precedence in the patching process owing to the associated threat context.<\/p>\n<\/li>\n CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523 are ProxyShell vulnerabilities known for their dangerous exploitation in vulnerability chaining<\/a> attacks and have multiple threat actor associations.<\/p>\n<\/li>\n CVE-2016-0099 is a six-year-old privilege escalation vulnerability in older versions of Microsoft Windows, which are still widely used.<\/p>\n<\/li>\n CVE-2019-7481 is an SQL injection vulnerability in SonicWall Secure Remote Access devices that have reached their end of life. With no active support from the vendor, this vulnerability needs extra attention or a complete version overhaul.<\/p>\n<\/li>\n The ransomware is deployed by APT groups: FIN7, FIN12, DEV-0504, and DEV-0237, to intensify their attacks.<\/p>\n<\/li>\n<\/ol>\n <\/p>\n Below, we outline the group\u2019s attack techniques and tactics.<\/p>\n Reconnaissance: TA0043<\/strong><\/p>\n T1595: Active Scanning<\/p>\n<\/li>\n T1589.001: Gather Victim Identity Information (Credentials)<\/p>\n<\/li>\n<\/ul>\n Initial Access: TA0001<\/strong><\/p>\n T1078: Valid Accounts<\/p>\n Leverages compromised credentials to enter networks<\/p>\n<\/li>\n<\/ul>\n<\/li>\n T1190: Exploit Public-Facing Application<\/p>\n Exploits unpatched Microsoft Exchange Servers (ProxyShell CVEs)<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n Persistence: TA0003<\/strong><\/p>\n T1098: Account Manipulation<\/p>\n Creates new users and adds them to the local administrator group<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n Privilege Escalation: TA0004<\/strong><\/p>\n TA1548.002: Abuse Elevation Control Mechanism: Bypass User Account Control<\/p>\n Uses built-in privilege escalation (UAC bypass, Masquerade_PEB, CVE-2016-0099)<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n Defense Evasion: TA0005<\/strong><\/p>\n T1564: Hide Artifacts<\/p>\n Employs evasive tactics such as masking a tampered DLL to make it seem legitimate<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n Credential Access: TA0006<\/strong><\/p>\n T1003.001: OS Credential Dumping: LSASS Memory, T1003.004: OS Credential Dumping: LSA Secrets<\/p>\n Creates dump file of LSASS process to steal credentials via malware or task manager<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n Discovery: TA0007<\/strong><\/p>\n T1082: System Information Discovery, T1135: Network Share Discovery<\/p>\n Executes cmd.exe and net.exe to collect system and network information<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n T1018: Remote System Discovery<\/p>\n Uses WMIC and mounting network shares to enumerate remote systems<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n T1087.002: Account Discovery: Domain Account, T1487: Domain Trust Discovery<\/p>\n Uses ADFind (S0552) and ADRecon to gather Active Directory environment information<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n T1057: Process Discovery, T1083: File & Directory Discovery<\/p>\n<\/li>\n<\/ul>\n Lateral Movement: TA0008<\/strong><\/p>\n T1563.002: Remote Service Hijacking: RDP Hijacking<\/p>\n Utilizes remote desktop client to sign into target devices<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n T1570: Lateral Tool Transfer<\/p>\n Uses SMB to copy and launch the Total Deployment Software administrative tool, allowing remote automated software deployment<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n Collection: TA0009<\/strong><\/p>\n T1005: Data from Local System<\/p>\n To steal intellectual property, attackers target and collect data from SQL databases<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n Command & Control: TA0011<\/strong><\/p>\n T1090.003: Multi-hop Proxy<\/p>\n Disguises the source of malicious traffic by chaining together multiple proxies<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n Exfiltration: TA0010<\/strong><\/p>\n T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage<\/p>\n Uses both MEGAsync and Rclone, which were renamed as legitimate Windows processes (for example, winlogon.exe, mstsc.exe) to exfiltrate sensitive data<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n Impact: TA0040<\/strong><\/p>\n T1486: Data Encrypted for Impact<\/p>\n Uses PSExec to distribute ransomware and encrypt files<\/p>\n<\/li>\n Employs the Double Extortion technique<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n T1489: Service Stop, T1490: Inhibit System Recovery<\/p>\n Stops operational services and obstructs recovery attempts<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div>\n The BlackCat group demands ransom payments in Monero or Bitcoins (for an additional fee). Ransom demands ranging from $400,000 to $3 million USD are typical of the group. Interestingly, the ransom notes used are customized for every victim, sometimes with a unique data leak site, ensuring complete privacy for negotiations. In addition, the gang\u2019s payment site is controlled by an access key, ensuring negotiation sites cannot be accessed even in the event of a ransomware code leak.<\/p>\n The backbone of the ransomware group is a set of highly-customizable features that allow for sophisticated attacks across a range of environments.<\/p>\n Usage of the Rust framework, a new trend that is picking up in the threat circle, brings additional stability and integration possibilities.<\/p>\n<\/li>\n The malware code is entirely command-line driven and human-operated, introducing a high degree of configurability.<\/p>\n<\/li>\n Ransomware is capable of using four different encryption methods on victim data.<\/p>\n<\/li>\n The code is built for cross-platform deployment, with support for Linux and Windows\u00a0operating systems, and VMWare\u2019s ESXi environment.<\/p>\n<\/li>\n<\/ul>\n BlackCat is yet another affiliate of the Ransomware-as-a-Service (RaaS) practice, relying on compromised or privileged credentials and weaknesses in code to launch their attacks. This is the first ransomware with its code completely written in the Rust programming language, allegedly having in-built safety measures. The group is known to use methods enabling data encryption at alarming speeds, giving victims lesser chances of preventing extended damage. Its data leak site allows data searches by the victim’s name, passwords, and even confidential documents.<\/p>\n While not all cyberattacks of the BlackCat group have come to light, the FBI released a warning<\/a> in April 2022, declaring that the group was involved in successful attacks against 60 organizations in the previous month. The group has been observed targeting institutions regardless of sector\u2014including healthcare, public health, government, and energy\u2014across the US, Australia, Germany, and India.<\/p>\n Exploits Overlooked Exposures: <\/strong>From our research into the BlackCat group\u2019s arsenal, we observe that it has not shied away from using exposures in many organizational networks, which are typically categorized as \u201clow risk\u201d vulnerabilities.<\/p>\n Local sockets: A socket, or a combination of ports and IP addresses, was leveraged to execute multiple instances of the ransomware simultaneously, speeding up the encryption process.<\/p>\n<\/li>\n Open ports: Dynamic ports that are not commonly used, and are likely to be easily available, are targets. In one instance<\/a>, the group is known to have established a server via the port to listen in on the machine\u2019s activities.<\/p>\n<\/li>\n Old vulnerabilities: The group targets old vulnerabilities (a 2016 CVE in Microsoft Windows) that organizations might not prioritize amidst the influx of more recent threats.<\/p>\n<\/li>\n End-of-life software: BlackCat uses unpatched vulnerabilities in end-of-life software (a 2019 SQL injection flaw in SonicWall Secure Remote Access) to enter into vulnerable networks. Devices that are no longer supported by their vendors offer permanent attack vectors for hackers with malicious motives.<\/p>\n<\/li>\n<\/ul>\n Has APT Group\/Threat Associations: <\/strong>Threat actors that favor ransomware groups like Ryuk or REvil are now deploying the BlackCat ransomware payload in their attacks. APT groups like DEV-0504, DEV-0237, and FIN12 have been observed using the payload. Researchers have also observed FIN7 intrusions right before BlackCat ransomware incidents, leading us to believe that the threat actor could also be using the ransomware as a tool.<\/p>\n Adopts the Triple Extortion Method: <\/strong>The BlackCat ransomware group has adopted the latest threat in the ransomware scene: the new and emerging triple extortion method. Attackers steal data from the local machine and cloud servers and then execute ransomware. Then, they introduce additional pressure on the victim via DDoS attacks or data leaks. The group is also known to put up extorted data for sale in dark web forums.<\/p>\n The BlackCat ransomware group was called out in Securin\u2019s Q1 2022 Ransomware Index Report<\/a> as one of the new additions to our ransomware database, along with some noteworthy trends.<\/p>\n<\/blockquote>\n <\/a>Recent BlackMatter\/AlphaV attacks: <\/strong>Here is a look into some of the publicly disclosed attacks by BlackCat.<\/p>\n Organization<\/strong><\/p>\n<\/td>\n Industry<\/strong><\/p>\n<\/td>\n Region<\/strong><\/p>\n<\/td>\n Timeline<\/strong><\/p>\n<\/td>\n Impact<\/strong><\/p>\n<\/td>\n<\/tr>\n Bandai Namco<\/p>\n<\/td>\n Gaming<\/p>\n<\/td>\n Japan<\/p>\n<\/td>\n Not disclosed<\/p>\n<\/td>\n<\/tr>\n Hydra-Electric<\/p>\n<\/td>\n Aerospace Sensor Manufacturing<\/p>\n<\/td>\n Burbank, California<\/p>\n<\/td>\n Not disclosed<\/p>\n<\/td>\n<\/tr>\n Adler Display<\/p>\n<\/td>\n Marketing & Advertising<\/p>\n<\/td>\n Baltimore, Maryland<\/p>\n<\/td>\n Not disclosed<\/p>\n<\/td>\n<\/tr>\n Sinclair Wilson<\/p>\n<\/td>\n Accounting & Wealth Management<\/p>\n<\/td>\n Australia<\/p>\n<\/td>\n Not disclosed<\/p>\n<\/td>\n<\/tr>\n dusitD2 Kenz Hotel<\/p>\n<\/td>\n Hospitality<\/p>\n<\/td>\n Dubai<\/p>\n<\/td>\n Not disclosed<\/p>\n<\/td>\n<\/tr>\n COUNT+CARE Gmbh<\/p>\n<\/td>\n Information Technology<\/p>\n<\/td>\n Germany<\/p>\n<\/td>\n Not disclosed<\/p>\n<\/td>\n<\/tr>\n Florida International University<\/p>\n<\/td>\n Education<\/p>\n<\/td>\n US<\/p>\n<\/td>\n Not disclosed<\/p>\n<\/td>\n<\/tr>\n University of North Carolina A&T<\/p>\n<\/td>\n Education<\/p>\n<\/td>\n US<\/p>\n<\/td>\n Not disclosed<\/p>\n<\/td>\n<\/tr>\n University of Pisa<\/p>\n<\/td>\n Education<\/p>\n<\/td>\n Italy<\/p>\n<\/td>\n Not disclosed<\/p>\n<\/td>\n<\/tr>\n Federal State of\u00a0 Carinthia<\/p>\n<\/td>\n Government<\/p>\n<\/td>\n Austria<\/p>\n<\/td>\n 3000 systems taken offline; $5 million ransom demanded<\/p>\n<\/td>\n<\/tr>\n Swissport<\/p>\n<\/td>\n Aviation<\/p>\n<\/td>\n Switzerland<\/p>\n<\/td>\n 1.6TB data extorted with a portion leaked<\/p>\n<\/td>\n<\/tr>\n Oiltanking GmbH and another oil company<\/p>\n<\/td>\n Energy<\/p>\n<\/td>\n Germany<\/p>\n<\/td>\n 233 gas stations across Germany affected<\/p>\n<\/td>\n<\/tr>\n Moncler Group<\/p>\n<\/td>\n Fashion<\/p>\n<\/td>\n Italy<\/p>\n<\/td>\n Temporary outage; data leak<\/p>\n<\/td>\n<\/tr>\n Enterprise Resource Planning (ERP) services provider<\/p>\n<\/td>\n Consumer<\/p>\n<\/td>\n Middle East<\/p>\n<\/td>\n Not disclosed<\/p>\n<\/td>\n<\/tr>\n Oil, gas, mining, and construction company<\/p>\n<\/td>\n Energy<\/p>\n<\/td>\n South America<\/p>\n<\/td>\n Not disclosed<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n Here are the indicators of compromise that can help you detect a BlackCat ransomware attack.<\/p>\n 731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161<\/p>\n f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb<\/p>\n 731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161<\/p>\n 80dd44226f60ba5403745ba9d18490eb8ca12dbc9be0a317dd2b692ec041da28<\/p>\n<\/td>\n 89.44.9.243<\/p>\n 37.120.238.58<\/p>\n 45.153.160.140<\/p>\n 94.232.41.155<\/p>\n 142.234.157.246<\/p>\n 152.89.247.207<\/p>\n 23.106.223.97<\/p>\n 51.83.57.149<\/p>\n 45.134.20.66<\/p>\n 198.144.121.93<\/p>\n 139.60.161.161<\/p>\n 5.255.100.242<\/p>\n 185.220.102.253<\/p>\n 89.163.252.230<\/p>\n 146.0.77.15<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n The BlackCat ransomware group is soon becoming one of the favorite payloads of many threat actors. With this in mind, here are some measures that organizations can adopt to stay safe from a ransomware attack.<\/p>\n Patch the vulnerabilities used by the group, and ensure no unused ports\/instances are left hanging.<\/p>\n<\/li>\n Set up multi-factor authentication, implement session timeouts, and practice good password hygiene.<\/p>\n<\/li>\n Perform a regular Attack Surface Management<\/a> scan to discover exposures in your assets, domain controllers, active directories, servers, and all cloud-connected deployments.<\/p>\n<\/li>\n Perform a penetration test on your systems to identify if they are vulnerable via unidentified exposures.<\/p>\n<\/li>\n Regularly back up data in secure\u00a0storage devices<\/a>.<\/p>\n<\/li>\n<\/ul>\nRecent Updates<\/h2>\n
BlackCat: A Cheat Sheet<\/h2>\n
\n
How Does BlackCat Attack?<\/h2>\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\nThe Ransom Tactic<\/strong><\/p>\n<\/h2>\n
Interesting Features<\/h2>\n
\n
<\/h2>\n
How Dangerous is BlackCat Ransomware?<\/h2>\n
\n
\n
\n
\n \n \n \n \n \n \n Gestore dei Servizi Energetici SpA\u00a0(GSE)<\/td>\n Energy<\/td>\n Italy<\/td>\n September 2022<\/a><\/td>\n Dark web data leak site claims to have stolen roughly 700GB of files<\/td>\n<\/tr>\n \n Accelya<\/td>\n Airline Technology<\/td>\n –<\/td>\n August 2022<\/a><\/td>\n Emails, worker contracts, and other data stolen<\/td>\n<\/tr>\n \n Automotive supplier<\/td>\n Automotive<\/td>\n –<\/td>\n August 2022<\/a><\/td>\n Three ransomware gang attacks within 2 weeks leading to data encryption and erasure of traces<\/td>\n<\/tr>\n \n Creos Luxembourg S.A.<\/td>\n Energy<\/td>\n Europe<\/td>\n July 2022<\/a><\/td>\n Customer portals of Encevo and Creos became unavailable<\/td>\n<\/tr>\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n <\/h2>\n
How to Detect BlackCat in Your Environment<\/h2>\n
\n\n
\n SHA256 Hashes:<\/strong><\/td>\n C2 IPs:<\/strong><\/td>\n<\/tr>\n \n \n \n What Can Organizations Do to Prevent a BlackCat Attack?<\/h2>\n
\n
How Can Securin\u2019s Ransomware Assessment Help?<\/h2>\n