🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
A thorough technical analysis of BlackCat ransomware, which has been causing havoc for organizations across the world. ALPHV, also known as BlackCat, is a ransomware family first seen in late 2021 and has been targeting multiple firms across industries.
Proactively monitor and defend against malware with CloudSEK XVigil Malware Logs module, ensuring the integrity of your digital assets
Schedule a DemoIn recent years, ransomware attacks have become increasingly common, with new strains being discovered all the time. One such strain is BlackCat ransomware, which has been causing havoc for organizations across the world. ALPHV, also known as BlackCat, is a ransomware family first seen in late 2021 and has been targeting multiple firms across industries. The operators of the ransomware are seen employing double extortion techniques, which involve not only encrypting the system but also stealing sensitive files from their victims. Reportedly, another tool is used with the ransomware for stealing data.
BlackCat ransomware is written in Rust and comes in the form of a command-line tool, which can be run with different arguments. It is capable of killing multiple processes and services. One of its key features is its ability to escalate privileges and bypass User Account Control (UAC). This sophisticated malware uses either AES or ChaCha20 encryption (depending on its configuration) to encrypt all the files on a victim's system. Additionally, it has sandbox evasion capabilities, making it hard to analyze the sample. The ransomware requires arguments to run, making it impossible to analyze by a sandbox. In this blog, we'll take a closer look at the characteristics and technicalities of this Rust-written ransomware.
It has been witnessed that attackers that use the BlackCat ransomware also reportedly use a .NET stealer tool named ExMatter, developed by the same APT group, in order to download files from the victim machine. This is what makes this attack even more formidable since this gives attackers the leverage to use a technique known as double extortion, which involves the added pressure of leaking stolen files possibly containing sensitive data. (Refer to the Appendix for a YARA rule that helps with hunting BlackCat.)
The BlackCat binary comes in the form of a command-line tool that can be run using different arguments. For example:
Out of these arguments, only one of them is essential to the execution of the binary, which is the access-token argument.
As mentioned earlier, the binary will only run if it is supplied with a 32-character long access token. It uses the GetCommandLineW API in order to check whether the access token is correctly supplied.
Depending on the version of the Ransomware, this token can either be random (like in this sample), or as seen in the latest versions, this access token is a 32-character key used to encrypt the configuration of the Ransomware embedded within the binary. Latest versions do this in order to stop security researchers from extracting the configuration. This also serves as an anti-sandboxing measure, since automated analysis tools will not be able to execute the sample unless they are configured to supply the access token.
Once the access token is supplied to the binary, the Ransomware proceeds by decrypting the ransom note embedded within the binary and storing it for later use. It also sets the ransom note as the Desktop wallpaper.
After this, the Ransomware prepares itself to escalate privileges by creating a new thread using the CreateThread API.
BlackCat ransomware performs a UAC bypass by abusing Microsoft COM (component object model). This attack involves using COM objects of a binary known as Microsoft CMSTP (Connection Manager Profile Installer), particularly the CMSTPLUA interface {3E5FC7F9-9A51-4367-9063-A120244FBEC7}.
The ransomware uses CoGetObject to register itself with the CLSID {3E5FC7F9-9A51-4367-9063-A120244FBEC7}, which is legitimately used to execute applications with elevated privileges. This technique allows it to bypass the UAC prompt and perform its malicious actions without being detected or blocked by the system's security measures.
Using CoGetObject to register itself with {3E5FC7F9-9A51-4367-9063-A120244FBEC7} in order to gain elevated privileges
Once the ransomware elevates privileges, it executes within the newly created thread and carries its arguments forward from its previous instance.
After this, BlackCat uses the LookupPrivilegeValueW API in order to look for local identifiers for a list of privileges. Each of these privileges enables the running process to run system-level operations. (Refer to the Appendix for a complete list and description of each privilege). The binary then uses AdjustTokenPriveleges in order to grant itself those privileges.
Finally, BlackCat ends its preparation for encryption by doing the following:
Note: BlackCat has its configuration embedded within itself and decrypts it at runtime. The configuration contains information about the public key to be used in order to encrypt the key, any specific services to terminate, an exception list, etc.
The sample of BlackCat utilized for this analysis employs AES for encryption. The steps involved in encrypting are as follows:
Once BlackCat is done encrypting all files on the system, the Desktop wallpaper is changed, instructing the user to refer to the ransom note.
The .onion URL specified in the ransom note is unique to each victim, as each sample uses a different access token, supplied to the URL as a parameter. The onion URL contains information about the files encrypted/stolen and instructions on how to pay the ransom.
SHA256
847FB7609F53ED334D5AFFBB07256C21CB5E6F68B1CC14004F5502D714D2A456
3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1
9802a1e8fb425ac3a7c0a7fca5a17cfcb7f3f5f0962deb29e3982f0bece95e26
f7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083
CloudSEK’s TRIAD team created this report based on an analysis of the increasing trend of cryptocurrency counterfeiting, in which tokens impersonate government organizations to provide some legitimacy to their “rug pull” scams. An example of this scam is covered in this report where threat actors have created a counterfeit token named “BRICS”. This token is aimed at exploiting the focus on the BRICS Summit held in Kazan, Russia, and the increased interest in investments and expansion of the BRICS government organization which comprises different countries (Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Iran, and the United Arab Emirates)
CloudSEK's threat research team has uncovered a ransomware attack disrupting India's banking system, targeting banks and payment providers. Initiated through a misconfigured Jenkins server at Brontoo Technology Solutions, the attack is linked to the RansomEXX group.
Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
8
min read
A thorough technical analysis of BlackCat ransomware, which has been causing havoc for organizations across the world. ALPHV, also known as BlackCat, is a ransomware family first seen in late 2021 and has been targeting multiple firms across industries.
In recent years, ransomware attacks have become increasingly common, with new strains being discovered all the time. One such strain is BlackCat ransomware, which has been causing havoc for organizations across the world. ALPHV, also known as BlackCat, is a ransomware family first seen in late 2021 and has been targeting multiple firms across industries. The operators of the ransomware are seen employing double extortion techniques, which involve not only encrypting the system but also stealing sensitive files from their victims. Reportedly, another tool is used with the ransomware for stealing data.
BlackCat ransomware is written in Rust and comes in the form of a command-line tool, which can be run with different arguments. It is capable of killing multiple processes and services. One of its key features is its ability to escalate privileges and bypass User Account Control (UAC). This sophisticated malware uses either AES or ChaCha20 encryption (depending on its configuration) to encrypt all the files on a victim's system. Additionally, it has sandbox evasion capabilities, making it hard to analyze the sample. The ransomware requires arguments to run, making it impossible to analyze by a sandbox. In this blog, we'll take a closer look at the characteristics and technicalities of this Rust-written ransomware.
It has been witnessed that attackers that use the BlackCat ransomware also reportedly use a .NET stealer tool named ExMatter, developed by the same APT group, in order to download files from the victim machine. This is what makes this attack even more formidable since this gives attackers the leverage to use a technique known as double extortion, which involves the added pressure of leaking stolen files possibly containing sensitive data. (Refer to the Appendix for a YARA rule that helps with hunting BlackCat.)
The BlackCat binary comes in the form of a command-line tool that can be run using different arguments. For example:
Out of these arguments, only one of them is essential to the execution of the binary, which is the access-token argument.
As mentioned earlier, the binary will only run if it is supplied with a 32-character long access token. It uses the GetCommandLineW API in order to check whether the access token is correctly supplied.
Depending on the version of the Ransomware, this token can either be random (like in this sample), or as seen in the latest versions, this access token is a 32-character key used to encrypt the configuration of the Ransomware embedded within the binary. Latest versions do this in order to stop security researchers from extracting the configuration. This also serves as an anti-sandboxing measure, since automated analysis tools will not be able to execute the sample unless they are configured to supply the access token.
Once the access token is supplied to the binary, the Ransomware proceeds by decrypting the ransom note embedded within the binary and storing it for later use. It also sets the ransom note as the Desktop wallpaper.
After this, the Ransomware prepares itself to escalate privileges by creating a new thread using the CreateThread API.
BlackCat ransomware performs a UAC bypass by abusing Microsoft COM (component object model). This attack involves using COM objects of a binary known as Microsoft CMSTP (Connection Manager Profile Installer), particularly the CMSTPLUA interface {3E5FC7F9-9A51-4367-9063-A120244FBEC7}.
The ransomware uses CoGetObject to register itself with the CLSID {3E5FC7F9-9A51-4367-9063-A120244FBEC7}, which is legitimately used to execute applications with elevated privileges. This technique allows it to bypass the UAC prompt and perform its malicious actions without being detected or blocked by the system's security measures.
Using CoGetObject to register itself with {3E5FC7F9-9A51-4367-9063-A120244FBEC7} in order to gain elevated privileges
Once the ransomware elevates privileges, it executes within the newly created thread and carries its arguments forward from its previous instance.
After this, BlackCat uses the LookupPrivilegeValueW API in order to look for local identifiers for a list of privileges. Each of these privileges enables the running process to run system-level operations. (Refer to the Appendix for a complete list and description of each privilege). The binary then uses AdjustTokenPriveleges in order to grant itself those privileges.
Finally, BlackCat ends its preparation for encryption by doing the following:
Note: BlackCat has its configuration embedded within itself and decrypts it at runtime. The configuration contains information about the public key to be used in order to encrypt the key, any specific services to terminate, an exception list, etc.
The sample of BlackCat utilized for this analysis employs AES for encryption. The steps involved in encrypting are as follows:
Once BlackCat is done encrypting all files on the system, the Desktop wallpaper is changed, instructing the user to refer to the ransom note.
The .onion URL specified in the ransom note is unique to each victim, as each sample uses a different access token, supplied to the URL as a parameter. The onion URL contains information about the files encrypted/stolen and instructions on how to pay the ransom.
SHA256
847FB7609F53ED334D5AFFBB07256C21CB5E6F68B1CC14004F5502D714D2A456
3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1
9802a1e8fb425ac3a7c0a7fca5a17cfcb7f3f5f0962deb29e3982f0bece95e26
f7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083