Deep Dive into BlackCocaine Ransomware

Share on linkedin
Share on twitter
Share on whatsapp
Share on facebook
Share on telegram
Share on email

On May 30, 2021, Nucleus Software, an India-based IT company in the Banking and Financial Services sector, noted a breach on its servers. The company has reported this incident to the Bombay Stock Exchange (BSE) and the National Stock Exchange of India (NSEI). 

In the intimation letter, the company has said that it does not store the financial data of its customers, and the probability of financial data having been leaked is unlikely.  

The Research team at Cyble conducted an initial investigation into the matter and found that the BlackCocaine Ransomware gang is responsible for the attack on Nucleus Software.  

Figure 1 is a screenshot from the BlackCocaine Negotiation Page. 

Figure 1 BlackCocaine negotiation page 

The group operates their site here – hxxp://blackcocaine[.]top/

Based on the analysis, the Cyble research team found that Nucleus Software is the first victim of the BlackCocaine ransomware group.  

The WHOIS information for the domain reveals that the domain of the BlackCocaine ransomware was registered on May 28, 2021, as shown in Figure 2.  

Figure 2 Domain registration details 

The first encrypted file submitted to different public platforms for analysis is “a.BlackCocaine” that was submitted on May 30, 2021. 

Figure 3 Analysis information 

Technical analysis: 

During our routine threat hunting exercises, Cyble researchers got their hands on BlackCocaine ransomware sample files. The file information of the ransomware payload is shown below. 

Figure 4 Static file information of Blackcocaine  

The ransomware payload file is a UPX-packed 64-bit Windows executable file, programmed in the Go language and complied using the MinGW tool. Figure 5 showcases the hex view of the payload file with compilation timestamp.  

Figure 5 HexView of payload  

Our research indicated that the malicious executable was compiled on May 29, 2021. This was found after converting the timestamp from the executable, as shown in Figure 6. 

Figure 6 File Compilation Timestamp  

The BlackCocaine ransomware file has multiple anti-VM and anti-debugging techniques to protect itself from being analysed and captured by automated analysis tools. Cyble researchers have manually unpacked the ransomware payload; and the image below showcases the unpacked file in the debugger with the highlighted original entry point (OEP). 

Figure 7 Unpacked file 

The Ransomware file decrypts Windows APIs during runtime so as to perform file system enumeration while encrypting the victim documents. The decrypted API function names are highlighted in Figure 8. 

We observed a hardcoded string “.BlackCocaine” appended as an encrypted file extension.  

Based on further analysis, we found BlackCocaine ransomware uses the AES and RSA Encryption methods. 

Figure 8 Decrypted data 

After file encryption, the ransomware drops Ransom notes with the following filename on victim’s machine. 


Threat Actors are known to use manual hacking techniques and open-source tools. In addition, they also look through the victim’s networks for lateral movement and secure executive access to the organization’s systems before encrypting files. 

BlackCocaine is the latest addition to the group of ransomware and appears to be one of the most sophisticated and active malware strains. This ransomware family follows the same model of server-side encryption to lock user documents and demand ransom. At this point, we are still not sure about the initial infection vector of BlackCocaine. 

The Cyble Research team is continuously monitoring new strains of ransomware groups, and we will keep updating the blog with new information as and when we find it.  

Our Recommendations:  

  • Use the shared IoCs to monitor and block the malware infection.  
  • Use strong passwords and enforce multi-factor authentication wherever possible.  
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.  
  • People concerned about their exposure in the Darkweb can register at to ascertain their exposure.  
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.  

Indicators of Compromise (IoCs):  

IoC  IoC Type  
41f533f7b8f83e5f0d67e90c7b38d1fdc70833a70749c756bae861ec1dc73c5c SHA256    
6471a7f99df7a48e01bb7a7ebca3d638c5f6bf8f7feffd84f177cf969609819d  SHA256    

About Cyble

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit

Scroll to Top