BlackCat Ransomware Gang

By Huseyin Can YUCEEL & Picus Labs August 22, 2022 Ransomware

BlackCat, also known as ALPHV, rose quickly in prominence because it is written in Rust, a language that supports reliable cross platform development and complicates traditional malware analysis. By leveraging Rust, operators can compile flexible builds that run on Windows, Linux, and VMware ESXi, which broadens impact across mixed enterprise environments. Security tools that were tuned primarily for C or C++ families often need additional tuning to inspect Rust binaries, and this gap has helped BlackCat affiliates evade some detections. The operation runs as a Ransomware as a Service program and uses double extortion, combining data theft with encryption to pressure victims into payment and to speed negotiations.

Adoption accelerated after the decline of large crews such as Conti and REvil, with experienced affiliates and groups including FIN12 and DEV 0504 pivoting to BlackCat for its speed, tooling, and support. Initial access commonly comes from phishing, valid credentials purchased from initial access brokers, or exploitation of internet facing services and edge devices. Once inside, operators map the environment, escalate privileges, and move laterally using living off the land techniques and common admin tools. BlackCat variants include support for targeting virtual infrastructure, disabling security agents, and removing backups or shadow copies to hinder recovery. Affiliates stage and exfiltrate sensitive data to hosted leak sites before encryption, then launch fast, multi threaded encryptors that can be customized per victim.

Organizations can reduce risk by enforcing multifactor authentication for remote and privileged access, rapidly patching exposed services, hardening and monitoring hypervisors and virtualization management interfaces, and segmenting critical systems so an intrusion cannot move freely. Maintain tested offline backups, watch for unusual data movement and new archive creation, and collect command line and process telemetry to detect lateral movement, credential access, and mass encryption behaviors. Continuous validation against real attacker techniques helps confirm that controls can detect and contain BlackCat activity before it reaches data theft and widespread encryption.

Metadata

Associated Groups	Aliases - ALPHV, Noberus Successor - BlackMatter and REvil
Associated Country	Russia
First Seen	November 2021
Target Sectors	Aviation, Construction, Education, Energy, Entertainment, Fashion, Financial Services, Government, Hospitality, Information Technology, Transportation
Target Countries	United States, Australia, Canada, China, France, Germany, India, Italy, Japan, Romania, Spain, Taiwan, United Kingdom

Modus Operandi

Business Models	Ransomware-as-a-service (RaaS) Triple Extortion Initial Access Brokers (IABs) Cooperation with other groups (e.g., Egregor, Maze, GandCrab, REvil, BlackMatter, DarkSide)
Extortion Tactics	File Encryption
Initial Access Methods	Exploit Public-Facing Application External Remote Services Valid Account
Impact Methods	Data Encryption Data Exfiltration

Exploited Applications and Vulnerabilities by BlackCat

Application	Vulnerability	CVE	CVSS
Fortinet FortiGate SSL VPN	Path Traversal	CVE-2018-13379	9.8 Critical

Utilized Tools and Malware by BlackCat

MITRE ATT&CK Tactic	Tools
Execution	Cobalt Strike PowerShell PowerShell Empire PSExec Windows Task Scheduler
Persistence	Windows Task Scheduler
Credential Access	LaZagne Mimikatz
Lateral Movement	PSExec
Command and Control	Cobalt Strike Koadic
Exflitration	ExMatter (Fendr) malware
Impact	BlackCat Locker malware Vssadmin

[1] K. Arhart, “Cobalt Strike,” Cobalt Strike Research and Development, Aug. 19, 2021. https://www.cobaltstrike.com/ (accessed Jul. 06, 2022).
[2] S. Özarslan, “MITRE ATT&CK T1086 PowerShell.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1086-powershell (accessed Jul. 06, 2022).
[3] “GitHub - EmpireProject/Empire: Empire is a PowerShell and Python post-exploitation agent,” GitHub. https://github.com/EmpireProject/Empire (accessed Jul. 06, 2022).
[4] “PsExec - Windows Sysinternals.” https://docs.microsoft.com/en-us/sysinternals/downloads/psexec (accessed Jul. 06, 2022).
[5] S. Özarslan, “MITRE ATT&CK T1053 Scheduled Task.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-1053-scheduled-task (accessed Jul. 06, 2022).
[6] “GitHub - AlessandroZ/LaZagne: Credentials recovery project,” GitHub. https://github.com/AlessandroZ/LaZagne (accessed Jul. 06, 2022).
[7] “GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security,” GitHub. https://github.com/gentilkiwi/mimikatz (accessed Jul. 06, 2022).
[8] “zerosum0x0-archive/archive,” GitHub. https://github.com/zerosum0x0-archive/archive (accessed Jul. 06, 2022).
[9] F. Fkie, “ExMatter (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.exmatter (accessed Jul. 06, 2022).
[10] F. Fkie, “BlackCat (Malware Family).” [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat. [Accessed: Aug. 03, 2022]
[11] H. C. Yüceel, “MITRE ATT&CK T1490 Inhibit System Recovery - The Ransomware’s Favorite.” https://www.picussecurity.com/resource/mitre-attck-t1490-inhibit-system-recovery-the-ransomwares-favorite (accessed Jul. 06, 2022).

BlackCat Ransomware Gang

Share this article:

Share this article:

Table of Contents

Get the Latest InsightsDelivered Straight to Your Inbox

Get the Latest Insights
Delivered Straight to Your Inbox