On May 30, 2021, Nucleus Software, an India-based IT company in the Banking and Financial Services sector, noted a breach on its servers. The company has reported this incident to the Bombay Stock Exchange (BSE) and the National Stock Exchange of India (NSEI).
In the intimation letter, the company has said that it does not store the financial data of its customers, and the probability of financial data having been leaked is unlikely.
The Research team at Cyble conducted an initial investigation into the matter and found that the BlackCocaine Ransomware gang is responsible for the attack on Nucleus Software.
Figure 1 is a screenshot from the BlackCocaine Negotiation Page.
Figure 1 BlackCocaine negotiation page
The group operates their site here – hxxp://blackcocaine[.]top/
Based on the analysis, the Cyble research team found that Nucleus Software is the first victim of the BlackCocaine ransomware group.
The WHOIS information for the domain reveals that the domain of the BlackCocaine ransomware was registered on May 28, 2021, as shown in Figure 2.
Figure 2 Domain registration details
The first encrypted file submitted to different public platforms for analysis is “a.BlackCocaine” that was submitted on May 30, 2021.
Figure 3 Analysis information
During our routine threat hunting exercises, Cyble researchers got their hands on BlackCocaine ransomware sample files. The file information of the ransomware payload is shown below.
Figure 4 Static file information of Blackcocaine
The ransomware payload file is a UPX-packed 64-bit Windows executable file, programmed in the Go language and complied using the MinGW tool. Figure 5 showcases the hex view of the payload file with compilation timestamp.
Figure 5 HexView of payload
Our research indicated that the malicious executable was compiled on May 29, 2021. This was found after converting the timestamp from the executable, as shown in Figure 6.
Figure 6 File Compilation Timestamp
The BlackCocaine ransomware file has multiple anti-VM and anti-debugging techniques to protect itself from being analysed and captured by automated analysis tools. Cyble researchers have manually unpacked the ransomware payload; and the image below showcases the unpacked file in the debugger with the highlighted original entry point (OEP).
Figure 7 Unpacked file
The Ransomware file decrypts Windows APIs during runtime so as to perform file system enumeration while encrypting the victim documents. The decrypted API function names are highlighted in Figure 8.
We observed a hardcoded string “.BlackCocaine” appended as an encrypted file extension.
Based on further analysis, we found BlackCocaine ransomware uses the AES and RSA Encryption methods.
Figure 8 Decrypted data
After file encryption, the ransomware drops Ransom notes with the following filename on victim’s machine.
Threat Actors are known to use manual hacking techniques and open-source tools. In addition, they also look through the victim’s networks for lateral movement and secure executive access to the organization’s systems before encrypting files.
BlackCocaine is the latest addition to the group of ransomware and appears to be one of the most sophisticated and active malware strains. This ransomware family follows the same model of server-side encryption to lock user documents and demand ransom. At this point, we are still not sure about the initial infection vector of BlackCocaine.
The Cyble Research team is continuously monitoring new strains of ransomware groups, and we will keep updating the blog with new information as and when we find it.
- Use the shared IoCs to monitor and block the malware infection.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- People concerned about their exposure in the Darkweb can register at AmIBreached.com to ascertain their exposure.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Indicators of Compromise (IoCs):
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.