What is BlackCat Ransomware?

The cybercriminals use ALPHV (BlackCat), a sophisticated ransomware-type program written in the Rust programming language, for their operations. It is distributed as Ransomware-as-a-Service (RaaS) model, encrypts data by locking files, and actively demands payment for decryption. In most cases, the malicious actors responsible for this type of malware rename the encrypted files by appending them with specific extensions. Since the software is distributed as a service, the name of the blocked file extensions depends on the current attackers.

Though, these details are quite trivial for any successful modern ransomware group. More interesting details about BlackCat include their unique approach towards spreading methods and rough behavior when it comes to data publication. The latter, actually, is done on a clear web site, instead of a more regular Darknet page. Moreover, these hackers were among the first who used so-called triple extortion – asking additional money to keep the attack fact in secret.

BlackCat’s level up

BlackCat gained notoriety almost immediately after its launch in November 2021. It was regularly at the top of the most active ransomware groups and was associated with the now-defunct BlackMatter. /DarkSide ransomware. In addition, in 2022 BlackCat switched to the Rust programming language. This gave the customization provided by this language and the ability to bypass malware detection and analysis. However, even after a year and a half, there is no hint that BlackCat’s career is nearing its end.

Over the last six months, BlackCat has been constantly improving its tools. They have abused the functionality of Group Policy Objects to deploy tools and interfere with security measures. For example, attackers may try to increase the speed of their operations by changing the default Group Policy update time, thereby shortening the time between the changes taking effect and the defenders being able to react.

In addition, BlackCat ransomware operators are deploying a double extortion scheme, using tools for both data encryption and theft. One tool, ExMatter, was used to exfiltrate multiple terabytes of data from victims to the attackers’ infrastructure. One BlackCat affiliate exclusively uses this tool, tracked by Microsoft as DEV-0504. The attackers frequently post stolen data publicly on their official leak site. They are doing that for one reason – to pressure their extortion victims.

New version of BlackCat

A new version of BlackCat, called Sphynx, was also observed by IBM X-Force. It was announced in February 2023 and has updated capabilities that make it harder to detect. Sphynx differs significantly from previous variants. For example, reworking the command line arguments and using raw structures instead of JSON formatting for configuration data. This makes it harder to detect and analyze the ransomware. The BlackCat group has stated that it was a global update and it was done to optimize detection by AV/EDR. In short, the BlackCat Sphynx Loader is an obfuscated loader that decrypts strings and payloads upon execution. It conducts network discovery activities and creates a ransom note in encrypted files. The BlackCat ransomware sample may also function as a toolkit based on tools from Impacket.

How does it work?

Initial access and privilege escalation

Researchers tend to believe that attackers used valid credentials obtained through Raccoon and Vidar stealers in the earliest stages. After successfully penetrating a network, attackers use PowerShell and the command line to gather information. In particular, they are interested in information about user accounts, domain computers, and permissions. As a result, they use the PowerShell code associated with “PowerSploit” to obtain domain administrator credentials.

Defense Evasion and Lateral Movement

Next, the attackers use Remote Desktop Protocol (RDP) to move around the network. Using credentials for accounts with administrative privileges, they authenticate to domain controllers. Eventually, they modify the default domain group policy object (GPO). These actions allow them to disable security controls, Microsoft Defender, system monitoring, security, and notifications. In addition, attackers edit the default domain group policy settings.

Exfiltration and self-destruction

As mentioned above – BlackCat extracts data using ExMatter before launching the ransomware. This malware installs itself as a service in the system registry section in the following key. Then, a secure file transfer protocol and WebDAV send the stolen data to the attacker’s infrastructure. After exfiltrating the data, Exmatter launches a specific process to remove all its traces.

BlackCat vs. Linux

In addition to attacking Windows systems, BlackCat affiliates can attack unix systems. In this case, the payload is deployed on ESXIi hosts with virtual machines using WinSCP. The attackers then access the hosts using PuTTY to run the ransomware. Releasing malware versions adjusted to attack Linux systems appears to be a new trend among cybercriminals – and it should not be ignored.

How to Protect Against BlackCat Ransomware Attacks

• Educating employees. Educating employees is crucial to safeguard against ransomware like BlackCat. Training them on identifying phishing emails, avoiding suspicious links and attachments, keeping software updated, and reporting any suspicious activity to IT or security personnel can reduce the risk of an attack. Regular security awareness training can inform employees about the latest threats and best practices.
• Encrypting sensitive data. Encrypting sensitive data is an effective way to protect against BlackCat ransomware and other malware. This involves converting the data into a code requiring a decryption key. Financial records, personal information, and important files should always be encrypted. Access controls should also be implemented to restrict who can view or modify the data. By encrypting sensitive data and implementing access controls, businesses can significantly reduce the risk of attack and potential impact.
• Backup data. Backing up and storing your data offline is the best way to keep and protect your files from any ransomware and other malware. We recommend storing a copy of essential files in a separate location. For example, you can use an external or cloud storage. If infected, you can erase files and restore data from the backup. Keep backups secure by storing them in a location physically separate from your computer or using a reputable cloud storage service with strong security and encryption.

These were the main ways to prevent negative consequences. But in addition, it is essential to use multi-factor authentication, use strong passwords, Install updates, Monitor network traffic, and Monitor file and folder activity.

The post BlackCat Ransomware New Update Boosts Exfiltration Speed appeared first on Gridinsoft Blog.

The operators of the ransomware BlackCat (aka ALPHV) have published screenshots of Western Digital’s internal emails and video conferences. The hackers appear to have maintained access to the company’s systems even after Western Digital discovered and responded to the attack.

Let me also remind you that we wrote that BlackCat Says It Attacked Creos Luxembourg, European Gas Pipeline Operator, and also that Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups.

Western Digital was hacked at the end of March 2023. Then the attackers compromised the internal network and stole the company’s data. At the same time, ransomware was not deployed on the Western Digital network, and the files were not encrypted.

As a result of this attack, the company’s cloud services, including Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi and SanDisk Ixpand Wireless Charger, as well as mobile, desktop and web applications related to them, did not work for almost two weeks.

Let me remind you that the media wrote that Western Digital My Cloud OS Fixes Critical Vulnerability.

The fact that the incident is most likely related to a ransomware attack was first reported by TechCrunch. According to journalists, the attackers managed to steal about 10 TB of data from the company. The hackers shared samples of stolen data with TechCrunch, including files signed with stolen Western Digital keys, company phone numbers not publicly available, and screenshots of other internal data.

The first statement of hackers about the attack on WD

Although the attackers then claimed that they were not associated with the ALPHV group, soon a message appeared on the hack group’s website that Western Digital’s data would be published in the public domain if the company did not pay the ransom.

As information security researcher Dominic Alvieri now reports, in an effort to put pressure on the affected company, the hackers released 29 screenshots containing emails, documents and video conferences related to Western Digital’s response to this attack. In this way, the attackers hinted that they retained access to some Western Digital systems even after the hack was discovered (probably until April 1, 2023).

So, one screenshot includes a “media holding statement”, and the other is a letter about employees who “leak” information about the attack to journalists.

A new message from the attackers is also attached to this drain, in which they claim that they have personal information of the company’s customers and a full backup of SAP Backoffice.

The hackers say that if Western Digital does not pay the ransom, they will release the stolen files every week. They also threaten to sell the company’s stolen intellectual property on the black market, including firmware, code-signing certificates, and customers’ personal information.

The post BlackCat Group Leaks Western Digital Data to the Network appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that New RedAlert Ransomware Targets Windows and Linux VMware ESXi Servers, and also that Hackers Launched LockBit 3.0 and Bug Bounty Ransomware.

Hackers from the LockBit, Hive and ALPHV (BlackCat) groups gained access to the victim’s network on April 20, May 1 and May 15 this year.

The researchers write that it all started back in December 2021, when the company’s network was compromised by a hacker, apparently an initial access broker. An attacker used a misconfigured firewall to hack into a domain controller server using RDP.

Apparently, after that, the hacker sold access to the victim’s network to other attackers, since three attacks in a row hit the company in the spring.

On May 1, 2022, LockBit and Hive ransomware payloads almost simultaneously spread across the victim’s network using legitimate PsExec and PDQ Deploy tools, and more than a dozen systems were encrypted as a result of each of the attacks. Previously, back in April, LockBit operators managed to steal the company’s data and uploaded it to the Mega cloud storage.

Just two weeks later, on May 15, 2022, while the IT team of the affected company was restoring encrypted systems, hackers from the BlackCat (aka ALPHV) group also connected to the server, previously compromised by their “colleagues” from LockBit and Hive.

Using a legitimate remote access tool (Atera Agent), they gained a foothold in the network and stole data from the company. Half an hour later, BlackCat operators delivered a ransomware payload to the victim’s network using PsExec and encrypted six machines after traversing the network sideways using compromised credentials.

In addition, in the end, BlackCat attackers deleted all shadow copies and cleared event logs on compromised systems, which significantly complicated recovery attempts and incident investigations conducted by Sophos experts.

And although the latest hackers destroyed a lot of evidence, Sophos specialists eventually found files on the affected systems that were encrypted three times with Lockbit, Hive and BlackCat, as well as three different ransom notes.

The post Auto Parts Manufacturer Attacked by Three Different Ransomware in Two weeks appeared first on Gridinsoft Blog.

Imagine a firm gets attacked by ransomware. It is not a novelty that, besides encrypting the data belonging to the company (to demand ransom for giving the data back,) the crooks also steal the data before its encryption. They can sell the data afterward. It is called a double-extortion scheme.

LockBit Weaponizes Its Victim’s Clients

However, if the enterprise administration doesn’t negotiate with the racketeers, they have thought up a way to make them do so. They contact the clients, partners, and employees of the victimized company and notify them about the company’s total neglect of the safety of data that has to do with people who trust the company and deserve its responsible care. Ransomware group thus encourages affected individuals to push the companies to do something about the leak.

Callow calls it ‘weaponizing’ clients (not only clients, though.) Ransomware gangs share links to specially created web pages where alleged victims can check whether their data ended up in the possession of the malefactors. Sometimes crooks allow paying for excluding an individual’s information from the total pile of the stolen data, while sometimes, it is impossible. However, there is no guarantee that such a procedure is technically possible since ransomware must have the relevant architecture to allow partial decryption of specified data alongside full decoding.

In the LockBit case, clients of victimized companies are warned about auctions that are going to take place before the personal data (including names, addresses, social security numbers, phone numbers, emails, etc.) is published.

Brett Callow notes that LockBit is not the first ransomware gang to practice such ‘client weaponizing.’ ALPHV and Cl0p operators did the same thing earlier this year and last year, respectively.

How do Auctions Look?

Even more interesting is that the LockBit victim companies, while being possibly pushed by their employees and customers, have a chance to play a game of patience on the auction: they are allowed to destroy all the malefactors-controlled data at once by paying a certain amount of money. At the same time, anyone can pay the same amount to download all the information. Both options get cheaper and cheaper simultaneously. On the one hand, nobody forces company administrators to pay the initial amount. On the other hand, as soon as the price gets low enough, someone might want to buy the data to download it. And that’s it!

The post LockBit Weaponizes Its Victims’ Clients – Brett Callow appeared first on Gridinsoft Blog.

BlackCat/ALPHV published the leaked data

Cybercriminal groups that practice the double extortion have tried countless ways to shame their victims into paying. The latest innovation that increased the stakes comes from the ALPHV/BlackCat ransomware group. It commonly released any stolen victim data on the Darknet page. However, these days the group has begun posting the websites of individual victims on the public Internet, and the leaked data has been made available in an easy-to-search form.

This is a new but unsurprising evolution in extortion tactics. Alphv will likely use stolen email addresses to send a link to the site to impacted individuals. Other gangs have used similar strategies 2/3https://t.co/JE0V1wR2HY

— Brett Callow (@BrettCallow) June 14, 2022

The case with the luxury resort is among the first ones, but likely not the last. Hackers’ website claims to have the personal information of 1,500 resort employees and over 2,500 residents of the facility. At the top of the page there are two “Check Yourself” buttons, one for employees and one for guests. Brett Callow, a threat analyst at security firm Emsisoft, called the ALPHV’s actions a “cunning tactic” that is sure to worry their other victims.

Cybersecurity experts are surprised with what’s happening

Callow said most of the victim-shaming blogs maintained by major ransomware groups exist on obscure, slow-loading sites on the Dark Web. Users could reach those sites only with third-party software such as Tor. But the website created by the ALPHV as part of this new pressure tactic is available in the Surface Web. Hence, everyone who wants to check the information on the certain visitor is welcome. Companies are likely to be more concerned about the prospect of their data being shared this way than just being posted on an obscure Tor site whose URL almost no one knows,” Callow said. “It will piss people off and force them to react together.” Apparently, Callow alludes to the high probability of the FBI to pay attention to the gang with such sly tricks. And that is not the single case wherethe US law enforcement were going for these crooks.

It’s unclear if the ALPHV plans to apply this approach to every victim, but other recent gang victims include a US school district and city. This is most likely a test run to see if it improves the results. “We are not going to stop, our leak distribution department will do everything possible to bury your business,” the victim’s website says. “At this point, you still have a chance to maintain the safety and reputation of your hotel. We strongly encourage you to be proactive in your negotiations; you don’t have much time.”

What is BlackCat/ALPHV ransomware?

Launched in November 2021, ALPHV is perhaps most notable for its programming language – Rust. Such a choice allows them to circumvent the detection from the conventional security solutions. Additionally, that made their malware cross-platform, so it can be freely launched on Windows and any of *NIX systems. ALPHV actively recruits operators from several ransomware organizations, including REvil, BlackMatter and DarkSide, offering partners up to 90% of any ransom paid by the victim organization.

Many security experts believe that ALPHV/BlackCat is simply a rebranding of another ransomware group, Darkside, also known as BlackMatter. That gang is responsible for the 2021 Colonial Pipeline attack. This attack lead to fuel shortages and price spikes on the U.S. East Coast. That’s why, exactly, I have mentioned that the attention from law enforcement is not new for those people. Are they fearless now?

Let’s sum the things up

The fact that the ransomware group stepped up to posting the leaked info, and in particular the information about individuals, is outrageous. Even more disgusting is that they created a page for that in the surface web. Still, such a technique can turn positive for individuals whose data is leaked. Mr. Callow I have cited above supposed there may be a silver lining to this ALPHV innovation, mentioning his wife’s conversation with Cl0p ransomware gang representatives.

“On the positive side, tricks like this mean that people can find out that their personal data has been compromised. Cl0p sent a letter to my wife last year. The company that lost her data still hasn’t made the information public or notified the affected people (at least she hasn’t heard anything from the company).”

Sure, receiving the leak notification in such a manner is not a pleasant thing. But that is way better to remain unaware at all, like it happens pretty often. Who knows, maybe that case will push the stakes and force the companies to claim about the leaks as soon as they are uncovered? What a time to be alive.

The post BlackCat ransomware gang publishes leaked data on the clear web site appeared first on Gridinsoft Blog.

Let me remind you that the unusual ransomware ALPHV (aka BlackCat and BC.a Noberus) written in Rust was discovered by researchers at the end of last year. Even then, experts noted that the creator of ALPHV was probably previously a member of the well-known hacker group REvil, and the new malware is a “very complex” encryptor.

Back at the end of 2021, after the appearance of ALPHV, a representative of the LockBit hack group stated that ALPHV is just a rebranding of the BlackMatter/DarkSide malware.

Now, these statements have been confirmed by the ALPHV representative himself:

Although BlackCat operators claim in interviews that they were only BlackMatter/DarkSide partners running their own extortion business, some experts do not believe this. For example, in response to the statements of hackers, Bleeping Computer quotes Emsisoft analyst Brett Callow, who is sure that BlackMatter simply replaced the development team after Emsisoft found a vulnerability in their malware that allowed victims to restore files for free.

Bleeping Computer journalists also note that hackers do not seem to learn from their mistakes. The fact is that the responsibility for the recent attacks on the German companies Oiltanking and Mabanaft, engaged in the transportation and storage of oil and petroleum products, lies with the operators of the BlackCat/ALPHV encryptor. These attacks once again affected the fuel supply chain and caused a lot of problems.

This is quite ironic, considering that the DarkSide group was forced to cease its activities earlier precisely after the attack on the largest pipeline operator in the United States, Colonial Pipeline, as the incident provoked interruptions in the supply of fuel and drew too much unnecessary attention to the hackers.

About the same thing happened with the BlackMatter ransomware, which experts almost immediately called the rebranding of DarkSide – law enforcement agencies confiscated the group’s servers and forced it to stop operating again.

Now, after attacking Oiltanking and Mabanaft, the faction may again be under attack for the same reason. However, in an interview with Recorded Future, the hackers said that they cannot control targets of their partner’s attacks, and try to block those who break the rules.

The post Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups appeared first on Gridinsoft Blog.