Ransomware Spotlight: BlackCat




BlackCat

By Trend Micro Research

Known for its unconventional methods and use of advanced extortion techniques, BlackCat has quickly risen to prominence in the cybercrime community. As this ransomware group forges its way to gain more clout, we examine its operations and discuss how organizations can shore up their defenses against it.

Ransomware Spotlight: BlackCat Infographic View infographic of "Ransomware Spotlight: BlackCat"

(Last update: September 15, 2023) First observed in mid-November 2021 by researchers from the MalwareHunterTeam, BlackCat (aka AlphaVM, AlphaV, or ALPHV) swiftly gained notoriety for being the first major professional ransomware family to be written in Rust, a cross-platform language that enables malicious actors to customize malware with ease for different operating systems like Windows and Linux, thus affording a wide range of enterprise environments.

Since then, BlackCat ransomware has frequently made the headlines for its successive attacks on high-profile targets and its use of triple extortion which has endowed the group with a distinct competitive edge over other RaaS operators. Aside from exposing exfiltrated data, ransomware actors that use triple extortion threaten to launch distributed denial-of-service (DDoS) attacks on their victims’ infrastructure to coerce them to pay the ransom.

According to the Federal Bureau of Investigation’s (FBI) advisory published on April 19, 2022, several developers and money launderers for BlackCat have links to two defunct ransomware-as-a-service (RaaS) groups – DarkSide and BlackMatter – suggesting that they have been leveraging established networks and extensive experience in the RaaS business.

Now that BlackCat is deemed as a significant threat, it is thus incumbent for organizations to familiarize themselves with the knowledge of the tactics, techniques, and procedures (TTPs) that the BlackCat gang employs. Reports published in late September 2022 noted the group’s use of an upgraded version of the ExMatter data exfiltration tool and of Eamfo, a malware designed to steal credentials stored by Veeam backup software, according to threat researchers. BlackCat ransomware’s constantly evolving malware arsenal, its growing affiliate base, and ties to underground networks enable it to acquire a larger stake in the RaaS marketplace.

What do organizations need to know about BlackCat?


Given BlackCat’s reputation for sophisticated and unorthodox methods, the following reasons account for its rising popularity and expanding foothold in the criminal underground:

  • BlackCat made its leak site public, thus making stolen information from its victims searchable and accessible. Leak sites have customarily been hosted on Tor sites that restrict the visibility of information to victims, threat researchers, and other cybercriminals. BlackCat’s public leak site makes stolen information accessible to everyone, thus exerting more pressure on victims to accede to the malicious actors’ demands.
  • It offers its affiliates more substantial payouts, reaching as much as 90% of the paid ransom. To rapidly grow one’s influence in a highly competitive field, researchers noted BlackCat’s aggressive efforts to recruit new affiliates, which is to give payouts much heftier than the usual serves, as a master stroke in this regard. In addition, threat researchers noted that the group has posted advertisements in underground forums like the Ransomware Anonymous Market Place (RAMP) and other Russian-speaking hacking forums to entice affiliates to join its network.
  • It uses a private access key token to limit the access of external parties to the group’s negotiation site. BlackCat operators provide the private access key tokens exclusively to the concerned parties, therefore only those with a copy of the ransom note paired with the same key used for the ransomware execution can enter the negotiation site.
  • Its method of incursion to the target organization varies according to the RaaS affiliate that deploys the ransomware payload. A Microsoft report said that researchers have observed BlackCat affiliates exploit different attack vectors that include Microsoft Exchange server vulnerabilities to access the target network, aside from the common entry points like remote desktop applications and stolen credentials. The report also mentioned that they have seen at least two known affiliates that have used BlackCat ransomware namely DEV-0237 – known for having deployed Ryuk, Conti, and Hive ransomware – and DEV-0504, which has also utilized Ryuk previously, and REvil, BlackMatter, and Conti ransomware.
  • Security researchers discovered BlackCat’s use of the Emotet botnet to deploy its ransomware payload. According to a report published on September 17, 2022, BlackCat was observed to have used the Emotet botnet malware — previously used by other notorious RaaS groups like Conti — as an initial entry point for its infection chain. The researchers further stated that the botnet was deployed to install a Cobalt Strike beacon on systems that had been breached as a second-stage payload to enable lateral movement. This development indicates BlackCat’s ability to pivot quickly, which shows it is capable of carrying out more pernicious attacks.

Since it first came out in 2021, BlackCat has victimized organizations from a variety of industries that include construction, retail, manufacturing, technology, and energy, to name a few.

A massive attack on German oil companies in 2022 signaled the group’s foray into big-game hunting. Handelsblatt, a German news publication, reported in February that 233 gasoline stations across northern Germany were hit by the ransomware incident. The supply chain attack put operations to a grinding halt and compelled the affected organizations to reroute the supplies to other depots.

BlackCat claimed the attack on an Italian energy agency that advocates for renewable energy sources in September 2022. Prior to this, BlackCat reportedly added an entry on its Tor leak site and asserted that it had exfiltrated roughly 700 gigabytes (GB) of the agency’s data.

A European government was one of the group’s high-profile targets in late May 2022. The group reportedly demanded US$5 million in ransom in exchange for software to decrypt the locked computer systems. The attack resulted in a massive disruption of government services as thousands of workstations were compromised.

BlackCat’s attacks have been detected in multiple locations globally, but organizations based in the US lead the victim count, followed by some in Europe and Asia-Pacific. The next sections discuss the types of industries and countries affected by BlackCat’s attacks in more detail.

In December 2022, the operators behind BlackCat ransomware used a Telegram account to advertise that their RaaS offering now includes a prepackaged Log4J Auto Exploiter. They claim that the tool can be used to propagate BlackCat laterally within the network.

In September 2023, the BlackCat group claimed responsibility for the incident that affected the operations of MGM Resorts International

Top affected countries and industries
according to Trend Micro data

This section cites Trend Micro™ Smart Protection Network™ (SPN) data on BlackCat’s attempts to compromise organizations. Note that these detections pertain only to Trend Micro customers and consist of only a fraction of the victims found in BlackCat’s leak site. Our detections show that organizations in the US received the greatest number of BlackCat ransomware attacks, comprising 39.3% of the total. Australia ranks far second, while the rest are dispersed across Europe and Asia-Pacific.

10 countries with the highest number of attack attempts in terms of infected machines for the BlackCat ransomware (November 1, 2021 to September 30, 2022)

Figure 1. 10 countries with the highest number of attack attempts in terms of infected machines for the BlackCat ransomware (November 1, 2021 to September 30, 2022)
Source: Trend Micro™ Smart Protection Network™ ™

The highest number of detections came from the manufacturing industry, with 176, or a quarter of the total.

10 industries with the highest number of attack attempts in terms of infected machines for the BlackCat ransomware (November 1, 2021 to September 30, 2022)

Figure 2. 10 industries with the highest number of attack attempts in terms of infected machines for the BlackCat ransomware (November 1, 2021 to September 30, 2022)
Source: Trend Micro™ Smart Protection Network™

Targeted regions and industries
according to BlackCat’s leak site

This section provides information on the attacks recorded on the BlackCat group’s leak site which represents successfully compromised organizations that have declined to pay ransom as of this writing. Trend Micro’s open-source intelligence (OSINT) research and its investigation of the site show that from December 1, 2021 to September 30, 2022, the group compromised a total of 173 organizations.

The distribution by region of BlackCat’s victim organizations from December 1, 2021 to September 30, 2022

Figure 3. The distribution by region of BlackCat’s victim organizations from December 1, 2021 to September 30, 2022
Sources: BlackCat’s leak site and Trend Micro’s OSINT research

Trend Micro’s product feedback on the top affected countries (shown on Figure 1) was consistent with data found in BlackCat’s leak site, which revealed that the group favored enterprises based in the US, with a victim count of 81 or 58.7% of the total. Also, organizations based in Europe and Asia- Pacific were among the most targeted by the group.

The distribution by country of BlackCat’s victim organizations from December 1, 2021 to September 30, 2022

Figure 4. The distribution by country of BlackCat’s victim organizations from December 1, 2021 to September 30, 2022
Sources: BlackCat’s leak site and Trend Micro’s OSINT research


BlackCat’s leak site data suggests that in terms of industry, finance and professional services were the most hit, followed by legal services. Technology, energy and utilities, construction, materials, and manufacturing were also largely affected.

The distribution by industry of BlackCat’s victim organizations from December 1, 2021 to September 30, 2022

Figure 5. The distribution by industry of BlackCat’s victim organizations from December 1, 2021 to September 30, 2022
Source: Sources: BlackCat’s leak site and Trend Micro’s OSINT research

Small-size businesses make up 52% of BlackCat’s victims, followed by midsize businesses at 26%. Combined, they constitute more than three quarters of the gang’s preferred targets. This trend is expected to persist in the months to come.

The distribution by organization size of BlackCat’s victim organizations from December 1, 2021 to September 30, 2022

Figure 6. The distribution by organization size of BlackCat’s victim organizations from December 1, 2021 to September 30, 2022
Source: Sources: BlackCat’s leak site and Trend Micro’s OSINT research

Infection chain and techniques

Infection chain of BlackCat ransomware

Figure 7. Infection chain of BlackCat ransomware observed in 2022

Observed attack chain in Q1 2023 where the BlackCat Sphynx ransomware was used

Figure 8. Observed attack chain in Q1 2023 where the BlackCat Sphynx ransomware was used


Initial Access

  • Trend Micro detected the arrival of BlackCat ransomware through MS Exchange Server vulnerabilities, listed as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The malware authors keep their access using remote code execution (RCE) via ConnectWise, a software solution designed for managed service providers (MSPs). This allows them to query credentials without passwords or other essential account information.
  • We also found evidence of a possible initial entry of the threat actor that is related to exploiting SSH keys to establish foothold on the target’s machine.  
  • It should be noted that we cannot rule out other methods of initial access. 

Execution

  • Despite finding no evidence of the ransomware binary being executed on the machine, we observed that the encryption of files was carried out with ntoskrnl.exe as the parent process. This led us to believe that Cobeacon served as the conduit for the ransomware's execution by injecting the process into a Windows component (ntoskrnl.exe) to evade detection and ensure successful encryption of the victim's files.  

Defense evasion, discovery, and credential access

  • Upon gaining access to the network, the malicious actors impair the defenses of the target organization by uninstalling antivirus applications, using AdFind and ADRecon to get hold of the victims’ domain accounts, and SoftPerfect to find information about the victims’ network. BlackCat operators also leverage Process Hacker and Mimikatz to access and dump the victims’ credentials.
  • To facilitate reconnaissance, privilege escalation, and lateral movement on the victim's network, threat actors also utilized WMIC and Netstat to extract information on user accounts and their associated Security Identifiers (SIDs). Additionally, the threat actors employed Task Manager to extract LSASS credentials.  

Lateral Movement

  • The BlackCat ransomware binary can propagate and execute laterally on its own by using an embedded PsExec module. Trend Micro has observed BlackCat operators accessing other endpoints in the victims' network for lateral movement using remote control applications like RDP and MobaXterm.
  • Threat actors were also observed using BITSAdmin to copy what we believe is the ransomware binary onto other machines within the victim's network, using the following command: /transfer zzz \\ {redacted}\share$\zzz.exe %AppData%\zzz.exe.Other files with the following filenames are also copied using the same command: xxx.exe, yyy.exe, and sv.exe.   

Command and Control

  • A Base64-encoded PowerShell script with an embedded Cobalt Strike SMB beacon is used to inject the shellcode into memory and establish connection with the C&C via the following named pipes \\ .\pipe\npfs_78, \\ .\pipe\fullduplex_9c.   

Exfiltration

  • Malicious actors also used ExMatter to steal information for double extortion, aside from their use of 7-Zip, Rclone,MEGASync, or WinSCP to archive stolen information, which they send to their C&C server. Trend Micro reports that threat researchers noted BlackCat’s use of an upgraded version of ExMatter published in September 2022.
  • We also observed traces of FreeFileSync, a file synchronization and backup tool. We believe threat actors used this tool to exfiltrate valuable information from the victim’s machines weeks before the actual execution of the ransomware binary.   

Impact

  • The malicious actors’ use of Rust to deliver the ransomware payload sets the stage for its encryption routine . The ransomware binary defaces the system’s background image and replaces it with one containing a notification that important files had been downloaded and encrypted, plus information on where additional instructions can be found (see Figure 10).
  • The payload also terminates specific services related to backups, antivirus applications, database, Windows internet services, and ESXi virtual machines (VMs).
  • Trend Micro researchers also found another variant of BlackCat ransomware binary that restarts the affected system to safe mode before proceeding to its encryption routine. It also disables system recovery and deletes volume shadow copies to inhibit the recovery of the affected systems.
  • For the Sphynx variant, the string appended for encrypted files is based on the ransomware binary's configuration so it should vary for each sample. The ransomware drops its ransom note in an archive format with randomized characters.  
  • Based on additional analysis, the Sphynx variant also inhibits system recovery by deleting volume shadow copies using the commands: 
    vssadmin.exe Delete Shadows /all /quiet and wmic.exe Shadowcopy Delete 

Sample ransom note obtained by Trend Micro Research from its analysis of the BlackCat ransomware binary

Figure 9. Sample ransom note obtained by Trend Micro Research from its analysis of the BlackCat ransomware binary

Sample ransom note obtained by Trend Micro Research from its analysis of the BlackCat ransomware binary

Figure 10. Sample ransom note obtained by Trend Micro Research from its analysis of the BlackCat ransomware binary


Other technical details

BlackCat avoids the following directories:

  • system volume information
  • intel
  • $windows.~ws
  • application data
  • $recycle.bin
  • mozilla
  • $windows.~bt
  • public
  • msocache
  • windows
  • default
  • all users
  • tor browser
  • programdata
  • boot
  • config.msi
  • google
  • perflogs
  • appdata
  • windows.old

It avoids encrypting the following files with strings in their file name:

  • desktop.ini
  • autorun.inf
  • ntldr
  • bootsect.bak
  • thumbs.db
  • boot.ini
  • ntuser.dat
  • iconcache.db
  • bootfont.bin
  • ntuser.ini
  • ntuser.dat.log

It also prevents the encryption of files with the following extensions:

  • themepack
  • nls
  • diagpkg
  • msi
  • lnk
  • exe
  • cab
  • scr
  • bat
  • drv
  • rtp
  • msp
  • prf
  • msc
  • ico
  • key
  • ocx
  • diagcab
  • diagcfg
  • pdb
  • wpx
  • hlp
  • icns
  • rom
  • dll
  • msstyles
  • mod
  • ps1
  • ics
  • hta
  • bin
  • cmd
  • ani
  • 386
  • lock
  • cur
  • idx
  • sys
  • com
  • deskthemepack
  • shs
  • ldf
  • theme
  • mpa
  • nomedia
  • spl
  • cpl
  • adv
  • icl
  • msu

BlackCat terminates the following processes and services:

Processes:

  • agntsvc
  • dbeng50
  • dbsnmp
  • encsvc
  • excel
  • firefox
  • infopath
  • isqlplussvc
  • msaccess
  • mspub
  • mydesktopq
  • mydesktopservic
  • notepad
  • ocautoupds
  • ocomm
  • ocssd
  • onenote
  • oracle
  • outlook
  • powerpnt
  • sqbcoreservic
  • sql
  • steam
  • synctime
  • tbirdconfig
  • thebat
  • thunderbird
  • visio
  • winword
  • wordpad
  • xfssvccon
  • *sql*
  • bedbh
  • vxmon
  • benetns
  • bengien
  • pvlsvr
  • beserver
  • raw_agent_svc
  • vsnapvss
  • CagService
  • QBIDPService
  • QBDBMgrN
  • QBCFMonitorSe
  • SAP
  • TeamViewer_Service
  • TeamViewer
  • tv_w32
  • tv_x64
  • CVMountd
  • cvd
  • cvfwd
  • CVODS
  • saphostexe
  • saposcol
  • sapstartsrv
  • avagent
  • avscc
  • DellSystem
  • EnterpriseClient
  • VeeamNFSSvc
  • VeeamTransportSvc
  • VeeamDeploymentSvc

Services:

  • mepocs
  • memtas
  • veeam
  • svc$
  • backup
  • sql
  • vss
  • msexchange
  • sql$
  • mysql
  • mysql$
  • sophos
  • MSExchange
  • MSExchange$
  • WSBExchange
  • PDVFSService
  • BackupExecVSSProvider
  • BackupExecAgentAccelerator
  • BackupExecAgentBrowser
  • BackupExecDiveciMediaService
  • BackupExecJobEngine
  • BackupExecManagementService
  • BackupExecRPCService
  • GxBlr
  • GxVss
  • GxClMgrS
  • GxCVD
  • GxCIMgr
  • GXMMM
  • GxVssHWProv
  • GxFWD
  • SAPService
  • SAP
  • SAP$
  • SAPD$
  • SAPHostControl
  • SAPHostExec
  • QBCFMonitorService
  • QBDBMgrN
  • QBIDPService
  • AcronisAgent
  • VeeamNFSSvc
  • VeeamDeploymentService
  • VeeamTransportSvc
  • MVArmor
  • MVarmor64
  • VSNAPVSS
  • AcrSch2Svc

MITRE tactics and techniques

Initial AccessExecutionDefense EvasionCredential AccessDiscoveryLateral MovementExfiltrationImpact

T1078 - Valid Accounts
Trend Micro has observed BlackCat ransomware operators gain access to the victims' networks by using compromised account credentials.

T1190 - Exploit Public-Facing Application
Arrival via MS Exchange server vulnerabilities:
● CVE-2021-26855
● CVE-2021-26857
● CVE-2021-26858
● CVE-2021-27065

T1059 - Command and Scripting Interpreter
BlackCat ransomware binary requires a correct access token to continue its malicious routine.

It also accepts other arguments used for different additional features.

T1562.001 - Impair Defenses: Disable or Modify Tools
Trend Micro has observed the malicious actors’ use of ConnectWise and command line to strengthen their foothold in a victim's network by uninstalling antivirus applications.

T1562.009 - Impair Defenses: Safe Mode Boot
BlackCat ransomware binary has the capability to register itself as a service to be able to automatically start in safe mode before restarting the affected system.

T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
The BlackCat ransomware binary clears the victim organizations’ Windows event logs by using wevtutil.exe.

T1003.001 - OS Credential Dumping: LSASS Memory
Operators use Process Hacker to dump the memory of lsass.exe.

T1087 - Account Discovery
The ransomware uses various tools to gather account information.

T1083 - File and Directory Discovery
The ransomware searches for files and discoveries for encryption.

T1057 - Process Discovery
The ransomware searches for processes it will terminate.

T1135 - Network Share Discovery
The ransomware uses various tools to gather account information.

T1016 - System Network Configuration Discovery
The ransomware uses different tools to gather account information.

T1069 - Permission Groups Discovery
The ransomware uses different tools to gather account information.

T1018 - Remote System Discovery
The ransomware uses a variety of tools to gather account information.

T1021.002 - Remote Services: SMB/Windows Admin Shares
The ransomware has an embedded PsExec module used to propagate itself to other remote hosts. It also enumerates network shares from the network using the API NetShareEnum.

T1048 - Exfiltration Over Alternative Protocol
It uses ExMatter and FileZilla to exfiltrate stolen information over alternative protocol.

T1567 - Exfiltration Over Web Service
It leverages ExMatter, Rclone, MEGASync, and WinSCP to exfiltrate stolen information over a web service.

T1489 - Service stop
It terminates various services.

T1490 - Inhibit System Recovery
It deletes shadow copies and disables system recovery.

T1486 - Data Encrypted for Impact
The ransomware payload encrypts files and adds the extension stated in its configuration.

T1491.001 - Defacement: Internal Defacement
The ransomware payload modifies the affected system's wallpaper image.

Summary of malware, tools, and exploits used

Security teams should watch out for the presence of the following malware tools and exploits that are typically used in BlackCat attacks:

Initial AccessDefense EvasionDiscoveryCredential AccessLateral MovementExfiltrationImpact
  • ConnectWise
    Manual operator
    • Impairs defenses by uninstalling antivirus applications
    • Query credentials with no passwords or other account information
  • Impairs Defenses

    BlackCat ransomware operators have been observed to uninstall antivirus applications upon gaining access to its victim’s network.

  • AdFind, ADRecon

    Used to find information about the victim's domain accounts

  • Process Hacker, Mimikatz

    Used to dump and access credentials from the victims

  • PSExec

    Used to execute commands and execute BlackCat ransomware binary laterally. PsExec is embedded in the BlackCat ransomware binary itself.

  • ExMatter

    Malware used to steal information for double extortion

  • BlackCat

    Ransomware encryption

  • Microsoft Exchange Server Vulnerabilities
    MS Exchange Server vulnerabilities:
    • CVE-2021-26855
    • CVE-2021-26857
    • CVE-2021-26858
    • CVE-2021-27065
  • SoftPerfect

    Used to find information about the victim's network

  • RDP, MobaXterm

    Used to access other endpoints in the victim's network for lateral movement.

  • 7zip, RClone, MegaSync, WinSCP

    Third-party tool to archive and exfiltrate stolen information


Recommendations

All indications of BlackCat’s malicious activities suggest that the ransomware group has predisposed itself to more aggressive attacks. Its penchant for unconventional methods, the sophistication of its techniques, and a growing affiliate base show that its operations are robust and will remain so in the future. This should give organizations more reasons to ensure that they are well informed and that they have security measures in place to ward off ransomware threats.

To protect systems against similar threats, organizations can establish security frameworks that allocate resources systematically to establish a strong defense strategy against ransomware.

Here are some best practices that organizations can consider:


Audit and inventory

  • Take an inventory of assets and data.
  • Identify authorized and unauthorized devices and software.
  • Audit event and incident logs.

Configure and monitor

  • Manage hardware and software configurations.
  • Grant admin privileges and access only when necessary to an employee’s role.
  • Monitor network ports, protocols, and services.
  • Activate security configurations on network infrastructure devices such as firewalls and routers.
  • Establish a software allowlist that only executes legitimate applications.

Patch and update

  • Conduct regular vulnerability assessments.
  • Perform patching or virtual patching for operating systems and applications.
  • Update software and applications to their latest versions.

Protect and recover

  • Implement data protection, back up, and recovery measures.
  • Enable multifactor authentication (MFA).

Secure and defend

  • Employ sandbox analysis to block malicious emails.
  • Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network.
  • Discover early signs of an attack such as the presence of suspicious tools in the system.
  • Use advanced detection technologies such as those powered by AI and machine learning.

Train and test

  • Regularly train and assess employees on security skills.
  • Conduct red-team exercises and penetration tests.

A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.

  • Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before the ransomware can do irreversible damage to the system.
  • Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
  • Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
  • Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.

Indicators of Compromise (IOCs)

The indicators of compromise (IOCs) for the threat discussed in this article can be found here. Actual indicators might vary per attack.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.