BlackCat malware, also known as ALPHV or Noberus, is a type of ransomware that first emerged in November 2021. It is considered one of the most dangerous and disruptive ransomware variants currently active. BlackCat ransomware works by encrypting files on infected systems and demanding a ransom payment in cryptocurrency from victims in exchange for the decryption key.
What are the main features of BlackCat ransomware?
Some of the key features and capabilities of BlackCat ransomware include:
- Uses robust encryption algorithms like RSA-2048 and AES-256 to lock files
- Targets both Windows and Linux systems
- Leverages exploits like Log4Shell to gain access to networks
- Employs techniques like process hollowing to evade detection
- Steals sensitive data from victims before encrypting
- Threatens to publish stolen data on leak sites if ransom isn’t paid
- Has a ransomware-as-a-service (RaaS) model that allows affiliates to spread the malware
- Demands large ransom payments often in the millions of dollars
- Operates an extensive affiliate program to maximize infections
Overall, BlackCat exhibits sophisticated techniques more commonly seen in targeted ransomware campaigns by advanced cybercriminal groups. Its capabilities make it adept at compromising organizations across various industries and extracting sizable ransom payments.
How does the BlackCat ransomware infect systems?
BlackCat operators rely on a variety of tactics to infiltrate target networks and deploy their ransomware payload, including:
- Phishing emails – Malicious email attachments or links that download the ransomware when clicked by users.
- Exploits – Exploiting vulnerabilities like Log4Shell to compromise internet-facing systems.
- RDP attacks – Brute forcing weak Remote Desktop Protocol (RDP) passwords.
- Software vulnerabilities – Unpatched flaws in Internet-connected software to gain a foothold.
- Credential stuffing – Attempting stolen username/password combos across different services.
- Compromised credentials – Purchasing compromised admin credentials on the dark web.
Once inside an organization’s network, BlackCat actors perform extensive reconnaissance, map out the environment, and use tools like Cobalt Strike to escalate privileges. They also employ “living off the land” techniques where they use legitimate system admin tools to avoid detection. This allows them to gain the elevated permissions needed to deploy ransomware across networks.
What systems does BlackCat ransomware target?
BlackCat ransomware is designed to infect a broad range of systems and devices, including:
- Windows servers
- Linux servers and systems
- Virtualized environments
- Cloud infrastructure
- Active Directory
- Database servers
- Email servers
- File shares
- Network-attached storage (NAS) devices
- Laptops and desktops
Essentially any system that contains mission-critical data, files, or provides access to core infrastructure makes an attractive target for BlackCat. Its wide compatibility across different systems and environments makes it a highly flexible ransomware threat.
What data does BlackCat ransomware encrypt?
BlackCat will attempt to encrypt as many critical files and data as possible on compromised systems. File types targeted include:
- Office documents
- PDFs
- Images
- Videos
- Databases
- Backups
- Archives
- Source code
- Emails
- Web files
The malware recursively scans local drives, mapped network shares, and connected storage devices to encrypt hundreds of different file extensions. BlackCat will also attempt to disable Windows System Restore and delete Volume Shadow Copies to block recovery of files. The result is the complete disruption of victim networks and operations.
What is the typical ransom demand for BlackCat?
BlackCat threat actors tailor their ransom demands based on the profile, size, and perceived revenue of the victim organization. Some of the record ransom amounts include:
- $14 million from an unspecified US critical infrastructure organization
- $5.9 million from Portuguese media conglomerate Impresa
- $5 million from Australian logistics firm Toll Group
- $3 million from French IT services firm Sopra Steria
Small and mid-sized businesses typically receive ransom demands between $50,000 to $150,000. The larger the organization, the higher the ransom since BlackCat knows they can afford it and have more incentive to pay quickly to resume operations.
How do BlackCat ransom payments and negotiations work?
BlackCat operators communicate with victims through their ransomware portal and ransom note left on infected systems. Victims are instructed to contact the threat actors through the portal or via email to negotiate the ransom payment. Key aspects of BlackCat ransom negotiations include:
- Threat actors initially offer a time sensitive “discounted” payment price that increases later.
- Ransoms demanded in Monero (XMR) cryptocurrency.
- BlackCat starts negotiations high and gradually reduce the demanded payment.
- Victims can ask for proof of data theft or decryption capabilities.
- Negotiations conducted via ransomware portal chat or email.
- Payments made via cryptocurrency to anonymous wallet addresses.
BlackCat actors pressure victims by threatening to leak stolen data to increase the likelihood of payment. However, even after paying, decryption of data is not guaranteed. Victims must carefully evaluate if payment is worth the risks involved.
Does BlackCat exfiltrate and leak victim data?
A hallmark of BlackCat is that it not only encrypts but also exfiltrates sensitive documents, files, and data from compromised networks before encrypting devices. The malware has numerous capabilities to gather and steal data including:
- Screenshot capture
- File crawling and scraping
- Database and email theft
- Gathering of passwords/credentials
If victims refuse to pay the ransom, BlackCat threat actors threaten to leak the stolen data on their public leak site to pressure them into paying. Sensitive data exposure enables further extortion and damage to brands beyond just the encryption impact. BlackCat also offers data deletion as a paid service following ransom payment.
What leak sites does BlackCat use to pressure victims?
BlackCat uses a few known leak sites to publish stolen victim data as leverage if ransom demands aren’t met. Active leak sites associated with BlackCat include:
- BlackCat Leaks
- Everest Leaks
- BlackMatter Leaks
New sites also frequently appear followingwebsite takedowns or disruptions. BlackCat will send victims the link to their specific page on the leak site containing their data if payments are not received in time. Some victims have had over 100GB of confidential data posted publicly to these sites.
Who are the threat actors behind BlackCat?
Researchers have linked the developers behind BlackCat ransomware to previous notorious ransomware operations including:
- REvil
- GandCrab
- DarkSide
- BlackMatter
Many members of these previous ransomware cartels are believed to have regrouped under BlackCat. Their technical capabilities and ransomware frameworks have also progressed and evolved from these older groups. The ransomware is primarily developed and operated by Russian-speaking cybercriminals based out of Russia or countries allied with Russia.
Why is BlackCat a Ransomware-as-a-Service (RaaS)?
BlackCat operates on a Ransomware-as-a-Service (RaaS) model to maximize its reach. Under this model:
- BlackCat developers create and maintain the malware toolset.
- Affiliates or partners pay to utilize the ransomware code and infrastructure.
- Affiliates attack organizations and deploy the ransomware payload.
- BlackCat administrators oversee the program and ransom negotiations.
- Ransom payments are split between the operators and affiliates.
This distributed criminal franchise model provides the developers recurring revenue streams while enabling wide distribution of the ransomware globally. Dozens of BlackCat affiliates are active globally, enabled by the RaaS structure.
What is BlackCat’s affiliate program structure?
BlackCat manages an extensive network of affiliate partners through its ransomware-as-a-service program. Details on BlackCat’s affiliate program structure include:
- Multi-tiered program with Entry, Standard, and VIP levels for affiliates.
- Partners pay up to $100K for access to BlackCat ransomware capabilities.
- Affiliates receive 75-90% cut of ransom payments depending on tier.
- Custom malware builder & dashboard provided to tailor attacks.
- Extensive targeting profiles provided for affiliates.
- Access to money laundering services to cash out crypto.
- Technical support & updates provided by BlackCat developers.
This affiliate-driven approach provides BlackCat with an army of cybercriminals that can execute targeted ransomware campaigns globally and funnel revenue back to the central BlackCat organization.
How does BlackCat evade detection?
BlackCat employs various tactics to avoid detection and analysis including:
- Custom packers/obfuscators to avoid signature-based detection.
- Disabling security tools using built-in capabilities or legitimate admin tools like PowerShell.
- Living off the land techniques that leverage approved sysadmin software.
- Access brokers that trade in compromised admin accounts and access.
- Rapid iteration of ransomware payloads if detection occurs.
- Noisy attacks against other firms to mask true target.
- Persisting via legitimate software like Docker containers.
- Frequent use of new infrastructure for command and control (C2).
BlackCat also heavily leverages exploitation of unpatched software vulnerabilities to evade detection. This allows them to bypass security controls and establish deeper footholds in target environments.
What tactics does BlackCat use to maximize impact?
Some examples of the tactics BlackCat deploys to maximize damage done to victims include:
- Multi-stage ransomware deployment to disable defenses before encrypting.
- Lateral movement tools like BloodHound to map trusted relationships in Active Directory.
- Deleting Volume Shadow Copies blocks Windows restore points.
- Stopping databases, email, backups and other processes before encrypting.
- Brute forcing admin accounts with tools like Mimikatz.
- Exfiltrating data for additional extortion leverage.
- Trojanizing software repositories like Visual Studio projects via supply chain attacks.
- Encrypting cloud-based backups and storage if accessible.
BlackCat will spend weeks or more probing target environments and establishing backdoors before deploying ransomware payloads across networks. This maximizes damage and leverage over victims during ransom negotiations.
What industries are most targeted by BlackCat?
BlackCat threat actors often focus on targets perceived as more likely or capable of paying large ransom amounts. Most targeted sectors include:
- Healthcare
- Financial services
- Insurance firms
- Manufacturing
- Technology
- Retail
- Government contractors
- Education
- Energy
- Transportation
However, any organization with valuable data or operations is at risk. Mid-sized targets with weaker security are appealing for quick profits, while ransom demands scale higher for larger firms.
What are examples of BlackCat attacks?
Major confirmed attacks attributed to BlackCat ransomware include:
| Victim | Details |
| ScottishEnvironment Protection Agency (SEPA) | 1.2TB of data stolen and leaked online |
| Avon and Somerset Police | Force declared a major incident after infection |
| Portuguese media firm Impresa | $5.9 million ransom demanded |
| Toll Group | Over 100GB of data leaked after refusing $5 million demand |
| The Kenyan Ministry of Foreign Affairs | Services disrupted across multiple government agencies |
Hundreds of other attacks have likely occurred but gone unreported. BlackCat has quickly become one of most prolific and destructive ransomware variants since first appearing in November 2021.
How much financial damage has BlackCat caused?
Precise damage totals are unknown, but BlackCat is likely responsible for millions in ransom payments and recovery costs including:
- Over $150 million in cryptocurrency ransom demands made.
- Average ransom payment over $2 million.
- At least $20 million in ransom paid by reported victims.
- Tens of millions more in unreported ransom payments likely made.
- Recovery costs per victim averaging in the millions.
- $1.2 billion in damages predicted in first year by Cybereason.
Beyond immediate ransom costs, data breaches and business disruption sparked by BlackCat inflict ongoing financial harm through lost sales, customers, and costs of rebuilding systems and operations.
Can encrypted files be recovered without paying BlackCat ransom?
For most victims, decrypting files without the BlackCat threat actors providing the decryption key is difficult. Options include:
- Restore backups if not compromised. But offline backups are rare.
- Hire decryption firms but success rates are very low.
- Threat actors may release universal keys if operations shut down.
- Monitoring ransomware sites for leaks of keys.
- Format and rebuild systems then restore data from backups.
- File recovery yields partial data but is incomplete.
Unfortunately, most victims have no alternative but to hope threat actors provide working decryption tools if the ransom is paid. This is why maintaining offline backups is critical as the most reliable path to restore encrypted files.
Conclusion
BlackCat has quickly emerged as one of the most aggressive and damaging ransomware threats lurking today. Its flexible RaaS model and extensive affiliate program enable it to successfully target enterprises globally at scale. Robust encryption combined with double extortion tactics via data theft provide BlackCat and its affiliates massive leverage to coerce victim organizations. Thwarting BlackCat requires a defense-in-depth approach combining threat hunting, endpoint security, patch management, backups, credential hygiene, and user education.