BlackCat Ransomware Gang

By Huseyin Can YUCEEL & Picus Labs   August 22, 2022   Ransomware

BlackCat ransomware gained its popularity due to its unusual use of Rust programming language. The use of Rust allowed BlackCat ransomware to target multiple operating systems and avoid detection since security controls are not used to analyze malware written in Rust. BlackCat, also known as ALPHV, uses the Ransomware-as-a-Service model and double extortion method. Many threat actors such as FIN12 and DEV-0504 started using BlackCat in their ransomware attacks after Conti, and REvil RaaS group depreciated.

Metadata

Associated Groups

Aliases - ALPHV, Noberus

Successor - BlackMatter and REvil

Associated Country

Russia

First Seen

November 2021

Target Sectors

Aviation, Construction, Education, Energy, Entertainment, Fashion, Financial Services, Government, Hospitality, Information Technology, Transportation

Target Countries

United States, Australia, Canada, China, France, Germany, India, Italy, Japan, Romania, Spain, Taiwan, United Kingdom

Modus Operandi

Business Models

Ransomware-as-a-service (RaaS)

Triple Extortion

Initial Access Brokers (IABs)
Cooperation with other groups (e.g., Egregor, Maze, GandCrab, REvil, BlackMatter, DarkSide)

Extortion Tactics

File Encryption

Initial Access Methods

Exploit Public-Facing Application

External Remote Services

Valid Account

Impact Methods

Data Encryption

Data Exfiltration

Exploited Applications and Vulnerabilities by BlackCat

Application

Vulnerability

CVE

CVSS

Fortinet FortiGate
SSL VPN

Path Traversal

CVE-2018-13379

9.8 Critical

Utilized Tools and Malware by BlackCat

MITRE ATT&CK Tactic

Tools

Execution

 

Cobalt Strike

PowerShell

PowerShell Empire 
PSExec

Windows Task Scheduler

Persistence

Windows Task Scheduler

Credential Access

LaZagne

Mimikatz

Lateral Movement

PSExec

Command and Control

Cobalt Strike

Koadic

Exflitration

ExMatter (Fendr) malware

Impact

BlackCat Locker malware 

Vssadmin

  • [1]       K. Arhart, “Cobalt Strike,” Cobalt Strike Research and Development, Aug. 19, 2021. https://www.cobaltstrike.com/ (accessed Jul. 06, 2022).

  • [2]     S. Özarslan, “MITRE ATT&CK T1086 PowerShell.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1086-powershell (accessed Jul. 06, 2022).

  • [3]     “GitHub - EmpireProject/Empire: Empire is a PowerShell and Python post-exploitation agent,” GitHub. https://github.com/EmpireProject/Empire (accessed Jul. 06, 2022).

  • [4]     “PsExec - Windows Sysinternals.” https://docs.microsoft.com/en-us/sysinternals/downloads/psexec (accessed Jul. 06, 2022).

  • [5]     S. Özarslan, “MITRE ATT&CK T1053 Scheduled Task.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-1053-scheduled-task (accessed Jul. 06, 2022).

  • [6]     “GitHub - AlessandroZ/LaZagne: Credentials recovery project,” GitHub. https://github.com/AlessandroZ/LaZagne (accessed Jul. 06, 2022).

  • [7]     “GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security,” GitHub. https://github.com/gentilkiwi/mimikatz (accessed Jul. 06, 2022).

  • [8]     “zerosum0x0-archive/archive,” GitHub. https://github.com/zerosum0x0-archive/archive (accessed Jul. 06, 2022).

  • [9]     F. Fkie, “ExMatter (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.exmatter (accessed Jul. 06, 2022).

  • [10]     F. Fkie, “BlackCat (Malware Family).” [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat. [Accessed: Aug. 03, 2022]

  • [11]     H. C. Yüceel, “MITRE ATT&CK T1490 Inhibit System Recovery - The Ransomware’s Favorite.” https://www.picussecurity.com/resource/mitre-attck-t1490-inhibit-system-recovery-the-ransomwares-favorite (accessed Jul. 06, 2022).