BlackCat ransomware, also known as ALPHV or Noberus, has been making headlines recently as a dangerous new threat targeting businesses worldwide. This ransomware uses robust encryption to lock up victim’s files and demands large ransoms, often millions of dollars, for the decryption key. Understanding the tools and techniques used by BlackCat can help organizations better defend against this emerging threat.
Ransomware is a type of malware that encrypts files on infected systems and demands payment for the decryption key. BlackCat is a form of ransomware-as-a-service (RaaS), where developers create the malware and then rent it out to affiliates or partners who distribute it. These affiliates split any ransom profits with the malware developers.
First surfacing in November 2021, BlackCat has been ramping up attacks on organizations globally throughout 2022. It has already impacted high-profile companies such as Olympus, the electronics manufacturer, and Continental, the German automotive suppliers. What makes BlackCat dangerous is its combination of robust encryption paired with the ability to quickly spread across networks.
Like other advanced ransomware operations, BlackCat utilizes a range of tools and techniques at different stages of the attack. Understanding these methods can help organizations implement security measures to protect themselves against compromise.
Initial Access Tools
BlackCat affiliates gain initial access to target networks through a variety of tools and exploits. Some common methods include:
- Phishing emails with malicious attachments or links
- Exploiting public-facing vulnerabilities such as unpatched VPNs or software
- Purchasing access from third-parties on cybercrime forums
- Obtaining stolen RDP credentials and logging in remotely
Phishing is a tried-and-true technique used by many threat actors. Emails are carefully crafted to appear legitimate, luring users to enable macros, download files, or click links that result in malware installation. VPN vulnerabilities are also heavily targeted, taking advantage of unpatched devices to gain a foothold.
Once inside the network, attackers use tools like Cobalt Strike and PowerShell to move laterally, escalate privileges, and carry out reconnaissance. Their goal is to map out the network, identify critical systems and data, and plant ransomware on as many devices as possible.
Ransomware Deployment
When the attackers are ready to deploy the ransomware, they use various tools and scripts to automate and speed up the encryption process. Some of the key tools used by BlackCat include:
- PowerShell – Used for executing commands, carrying out tasks, and spreading the ransomware
- Batch scripts – Automates ransomware execution across large numbers of devices
- Mimikatz – Extracts account credentials from memory to enable lateral movement
- PsExec – Enables executing processes on remote systems
- Procdump – Dumps memory of running processes, used for privilege escalation
By scripting many of the routine tasks, the attackers can infect thousands of endpoints rapidly across an organization’s network. The ransomware encrypts local files as well as network shares that the infected devices have access to.
Ransomware Payload
The core component that does the actual encryption is the BlackCat ransomware executable. Like other ransomware strains, it utilizes robust symmetric encryption algorithms to lock files. Based on analysis by security researchers, BlackCat ransomware has used the following encryption modules:
- AES-256 – The AES algorithm with a 256-bit key
- Diffie-Hellman – Used for exchanging encryption keys
- RSA-2048 – The RSA algorithm with a 2048-bit key
This combination of strong encryption makes it virtually impossible for organizations to recover their data without the decryption key. The malware deletes volume shadow copies and disables Windows recovery tools to prevent easy file restoration.
In addition to encrypting files, the BlackCat ransomware also installs a malicious service on infected Windows systems. This service persists across reboots, contains the encryption keys, and communicates with the attacker’s command and control servers.
Command and Control Infrastructure
BlackCat ransomware utilizes a network of command and control (C2) servers hosted on compromised machines and bulletproof hosting providers. Some known hosts used for C2 include:
- leakage[.]me
- walkerwalker[.]cyou
- luxuryhotel[.]czweb[.]org
The C2 infrastructure has the following functions:
- Issuing commands to infected machines
- Collecting status updates and data from victims
- Storing encryption keys
- Facilitating payment and key exchange
Even if organizations block outbound connections to the attacker’s C2 servers, the malicious service on the infected hosts contains the encryption keys locally. Payment is required to obtain a decryptor application along with keys that can unlock files.
Ransom Demands
BlackCat introducers itself to victims via a ransom note left on infected systems with instructions on contacting the threat actors. Initial access brokers may customize parts of the note, but the payment flow uses the same Bitcoin wallets.
The ransom demands seen from BlackCat are among the highest of any ransomware variant, with amounts in the millions of dollars. The gang bases demands on metrics like the number of encrypted devices, the sensitivity of data, and the size/wealth of the organization.
Some examples of known BlackCat ransoms include:
| Victim | Ransom Demand |
| Continental | $50 million |
| Olympus | $80 million |
| MediaMarkt | $240 million |
In addition to the ransom, the attackers may threaten to publish or auction stolen data if the demand is not paid. This pressures victims to pay quickly before sensitive files are leaked online.
Affiliate Structure
BlackCat operates via a ransomware-as-a-service model. Developers maintain the malware codebase, infrastructure, payment systems, and victim support. Partners or affiliates conduct attacks and earn a cut of any ransoms.
Affiliates gain access to BlackCat via vetted cybercrime forums. They pay monthly fees for access to the latest malware builds, tools, updates, and support. The discounted pricing early on helped the ransomware scale out rapidly.
Experienced groups can earn millions per successful deployment. As a result, BlackCat has been able to recruit skilled attackers motivated by the high profit potential. The developers themselves take around 25% of ransom payments.
Victim Identification
BlackCat affiliates utilize a range of techniques for identifying high-value targets. These include:
- Scanning the internet for vulnerable platforms
- Purchasing access to compromised networks
- Obtaining insider data from employees or partners
- Targeting managed IT providers and supply chains
The complex targeting process focuses on organizations likely to pay significant ransoms based on analysis of their cyber insurance, revenues, industry sector, security posture, and geographic location.
Evasion Capabilities
BlackCat utilizes various tactics to evade detection and analysis. These include:
- Custom packers and crypters to obfuscate payloads
- Anti-analysis checks for sandboxes and debugging tools
- Disabling security software using built-in exploits
- Spreading laterally across networks before deploying ransomware
- Utilizing legitimate remote access tools to hide malicious activity
Frequent updates to the malware code and infrastructure also limit defenders’ ability to develop effective countermeasures. The constant evolution of tactics makes BlackCat a challenging threat to combat.
Conclusion
BlackCat proves that ransomware remains a severe threat, especially for large enterprises storing sensitive data. This RaaS operation combines robust encryption with sophisticated tools and infrastructure to carry out highly impactful attacks.
Defending against BlackCat requires a multi-layered approach:
- Patching vulnerabilities that enable initial access
- Using EDR tools to detect ransomware activity
- Isolating and segmenting networks to limit spread
- Backing up data and testing restores
- Monitoring for IOCs associated with BlackCat
- Conducting exercises to test incident response plans
Staying ahead of the constantly evolving threat landscape is crucial. Leveraging threat intelligence, advanced security controls, and expert guidance provides the best chance to mitigate the business risks posed by BlackCat.