Cyble-Deep-Dive-Analysis-ALPHV-BlackCat.

Deep Dive Analysis – ALPHV / BlackCat

Sophisticated Ransomware Compiled on Rust

In November 2021, a new ransomware variant called BlackCat (a.k.a ALPHV, Noberus) reportedly targeted multiple sectors globally. This ransomware group uses a double extortion tactic, where Threat Actors (TAs) initially steal a company’s data. In the second stage of extortion, the TAs threaten to leak or sell this stolen data to increase pressure on the victim to pay the ransom. In some cases, the attacker threatens victims with Distributed Denial-of-Service (DDoS) attacks if the ransom is not paid.

The Threat Actors developed this malware in the Rust programming language. Only a few ransomware developers have been observed using Rust so far. The prime driver of this is that Rust is relatively easy to compile & customize for various Operating System (OS) architectures.

The Threat Actors behind BlackCat use the Ransomware-as-a-Service (RaaS) model, where ransomware developers use cybercrime forums to search for affiliates to carry out the attacks and share the ransom based on a percentage of the total amount extorted.  

The BlackCat ransomware gang has attacked nearly 30 organizations worldwide (as the time of publishing this analysis). Most of these victims are from the United States, Germany, Canada, France, and Italy. Below we can see the most targeted countries by the BlackCat Ransomware gang so far.

Figure 1: Countries Targeted by BlackCat Ransomware Gang

The Financial, Business, and Transport services are the top industries targeted by the BlackCat ransomware gang. Below, we have outlined the breakup of targeted industries.

Figure 2: Targeted Industries

Technical Analysis

This blog post presents a deep-dive analysis of BlackCat ransomware, its TTPs and targets. The ransomware binary is a 32-bit PE file created in the Rust programming language. Rust is chosen primarily for cross-platform functionality, which indicates that the latest Ransomware-as-a-Service (RaaS) model has the capability to build ransomware binaries that target multiple operating systems such as Windows and Linux.

As indicated in Figure 3, BlackCat Ransomware provides various options to the attacker. Using a command-based panel, the attacker can customize the payload and perform various malicious activities on the victim’s system. The access-token flag is required to execute the payload, and various anti-debugging tricks are present in the binary, making it difficult to debug.

Figure 3: Options Embedded within the Code

The ransomware gives an option to execute in Verbose mode, which prints the debug messages to understand the infection. In this example, the Executable.exe –-access-token -12345 -v command is used to run the ransomware on the victim’s system.

Figure-4-Verbose-mode
Figure-4-Verbose-mode

Upon execution, the ransomware gets the Machine GUID from the following registry key and then calls WMIC command to get the UUID :

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography 
  • wmic csproduct get UUID 

Once it has the GUID and UUID, the ransomware can generate a unique access token which will then be used in the TOR URL shown below –

Hxxp://sty5r4hhb5oihbq2mwevrofdiqbgesi66rvxr5sr573xgvtuvr4cs5yd.onion/?access-key={Access-token}  

BlackCat also modifies the type of symbolic links using the following commands which create shortcuts for encrypting files locally and remotely.

  • cmd /c fsutil behavior set SymlinkEvaluation R2L:1 
  • cmd /c fsutil behavior set SymlinkEvaluation R2R:1 

The ransomware config file is embedded within the ransomware code, which contains all the details of the encryption process, as shown below.

Figure-5-Config-File-Embedded-in-the-Ransomware-1
Figure-5-Config-File-Embedded-in-the-Ransomware

Based on the config file, Cyble Research labs was able to draw the following conclusions:

  • A public key is also embedded in the config file, which will be further used for encrypting the files. The config file also has the details of the ransom note extension, i.e., .7954i9.
  • The credentials are also stored in the config file, indicating that BlackCat ransomware targets specific organizations. We suspect that these credentials may be used to either gain administrator rights or to propagate BlackCat ransomware within the network.
  • The ransomware checks if services such as SQL, VSS, mepocs, etc., and terminates them if they are actively running in the system.
  • For smooth encryption in the victims’ device, the ransomware kills the running processes such as Outlook, winword, notepad, etc.
  • Before initiating encryption, the ransomware checks and excludes specific folders from encryption – such as programdata, program files, Google.
  • The Ransomware also excludes specific files from encryption, such as autorun.inf, boot.ini, amongst others.
  • Specific extensions are also exempted from encryption – such as .exe, .cab, .msi, .dll.

The following changes are made by the ransomware by enabling them in the code:

  • “enable_network_discovery”:true,
  • “enable_self_propagation”:true,
  • “enable_set_wallpaper”:true,
  • “enable_esxi_vm_kill”:true,
  • “enable_esxi_vm_snapshot_kill”:true,
  • “strict_include_paths”:

BlackCat expressly excludes these files, folders, and extensions to prevent attackers from damaging any system-critical files. Victims will thus have access to the affected device to pay the ransom, even after successful encryption.

As shown in Figure 6, the ransomware further mounts the hidden partitions and discovers the local drive’s details for its encryption. Additionally, the ransomware clears the Recycle Bin to ensure that the deleted files cannot be recovered.

Figure 6: Code to Mount Hidden Partitions and Local Drives

After this step, the ransomware deletes the shadow copies using the command shown below.

  • vssadmin.exe delete shadows /all /quiet 

The ransomware then proceeds to encrypt the files, append the extensions to .7954i9r, and drop the ransom notes in every encrypted folder, as shown below.

Figure 7: Extensions of files being changed

The ransomware also changes the wallpaper and instructs the victims to follow the instructions mentioned in the ransom note to recover the encrypted files.

Figure 8: Changed Desktop Background

As shown below, the attackers have instructed their victims to visit the Onion link given in the ransom note by using the Tor browser to communicate with the TA to recover their files or pay the ransom.

Figure 9: Ransomware Note

The attackers used a Microsoft utility executable PsExec.exe embedded within the ransomware code. The PsExexc will be used to execute the ransomware and different payloads in other connected systems.

After the file encryption is complete, the ransomware clears the log using a Microsoft tool Wevtutil.exe to ensure no traces are left behind.

Figure 10: Used Wevtutil.exe For Clearing Logs

Furthermore, BlackCat ransomware discovers all NetBios servers in the system to propagate itself within the affected network.

Additional Information

The BlackCat ransomware variant has been active since November 2021 and has leaked the data of over 25 Victims on their site. Cyble Research labs has also observed that BlackCat is actively recruiting new affiliates to increase the scope of their attacks worldwide and making the gang larger.

The group is also actively recruiting ex-REvil, BlackMatter, and DarkSide operators. Figure 11 shows the ongoing affiliation activity on the BlackCat gang’s page.

Figure 11: Activity on Dark Web

Conclusion  

After the arrest of a member of the famous ransomware group ‘REvil’ by Russian authorities, it is assumed that the REvil group will either divide, join other Ransomware-as-a-Service (RaaS) providers like BlackCat, or potentially even create a new ransomware gang.  

Our technical analysis indicates that the BlackCat ransomware uses a different modus operandi by using various tricks to make debugging difficult and in their utilization of Rust programming language. Additionally, we might see an increase in ransomware developed using Rust, as Rust supports cross-platform functionalities.

​Our Recommendations 

​We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

Impacts And Cruciality of BlackCat Ransomware

  • Loss of Valuable data.
  • Loss of an organization’s reputation w.r.t it’s reliability or integrity.
  • Loss of an organization’s businesses information.
  • Disruption in organization operation.
  • Economic loss

​MITRE ATT&CK® Techniques 

​Tactic ​Technique ID ​Technique Name 
Initial AccessT1078Valid Accounts
ExecutionT1059Command and Scripting Interpreter
ExecutionT1059Command and Scripting Interpreter
Privilege EscalationT1548Abuse Elevation Control Mechanism
Defense EvasionT1112
T1027
T1562.001
Modify Registry
Obfuscated Files or Information
Impair Defenses: Disable or Modify Tools
DiscoveryT1082
T1083
System Information Discovery
File and Directory Discovery
ImpactT1490
T1489
T1486
Inhibit System Recovery 
Service Stop
Data Encrypted for Impact

Indicators Of Compromise (IoCs)

​Indicators​Indicator type ​Description 
a186c08d3d10885ebb129b1a0d8ea0da056fc362SHA-1Malicious File.exe


Scroll to Top