The BlackCat ransomware group, also known as ALPHV or Noberus, is a prolific and dangerous cybercriminal operation that emerged in mid-2021. They are considered one of the most disruptive ransomware groups currently active, responsible for hijacking and encrypting the networks of numerous organizations to extort hefty ransom payments.
BlackCat stands out for their technical sophistication, operational security, and ruthless tactics. They aggressively target large enterprises across multiple industries like healthcare, manufacturing, retail, and technology. The group compromises networks, encrypts files and systems, and threatens to leak stolen data unless ransoms up to millions of dollars are paid.
The BlackCat group poses a severe threat to businesses, critical infrastructure, and the economy. Their attacks have caused major disruptions, data breaches, and financial damages across North America and Europe. Understanding BlackCat’s methods and motivations provides crucial insight into modern ransomware operations.
Origins
The BlackCat ransomware group first emerged in November 2021 when they started targeting organizations across multiple industries and encrypting networks https://www.cisecurity.org/insights/blog/breaking-down-the-blackcat-ransomware-operation. While the origins and founders of BlackCat are unknown, researchers believe the group has links to the notorious REvil ransomware operation that disappeared in July 2021 after high-profile attacks against Kaseya and JBS https://en.wikipedia.org/wiki/BlackCat_(cyber_gang). Some analysts think BlackCat filled the void left by REvil, adopting similar tactics and ransom demands.
Notable Attacks
BlackCat first appeared in November 2021 and is responsible for several major ransomware attacks. In May 2022, they targeted the Costa Rican government and encrypted a number of systems including the Ministry of Finance and Ministry of Science and Technology (Source). According to reports, the hackers demanded $10 million in bitcoin as ransom (Source). In July 2022, BlackCat targeted an Australian electricity provider and threatened to leak sensitive customer data if the ransom wasn’t paid (Source).
Other major victims include a US agricultural company, a Japanese gaming company, and an Italian gas company. The gang typically demands large ransoms in the millions of dollars in cryptocurrency and threatens to publish stolen data if victims don’t pay up.
Victims
Since first emerging in mid-2022, BlackCat ransomware has targeted a wide range of organizations across multiple sectors. According to the FBI, BlackCat has hit at least 60 companies in the manufacturing, retail, healthcare, technology, and food and agriculture industries [1]. Some of the most notable victims include:
- JBS USA – One of the world’s largest meat processors
- Regal Cinemas – Movie theater chain with over 500 locations
- Optus – Major Australian telecommunications company
- Kronos – Workforce management software provider
BlackCat tends to target mid-size organizations, rather than large enterprises, likely viewing them as more vulnerable targets. The gang appears to cast a wide net across industries in multiple countries, researching victims’ finances to gauge how much they can extort.
Ransom Demands
According to the U.S. Department of Justice, the ALPHV/BlackCat ransomware group has made ransom demands totaling hundreds of millions of dollars from over 1,000 victims globally as of late 2022 (https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant). The FBI estimates that the group has raked in over $300 million in ransom payments paid in bitcoin as of September 2022 (https://www.bleepingcomputer.com/news/security/fbi-alphv-ransomware-raked-in-300-million-from-over-1-000-victims/).
Typical ransom demands from BlackCat range from several hundred thousand dollars to millions of dollars per victim, with the average ransom payment around $1.2 million. The gang primarily demands payment in bitcoin given the cryptocurrency’s perceived anonymity.
Affiliations
BlackCat has ties to other notorious ransomware groups like REvil. According to CISA, BlackCat is the successor to the REvil ransomware operation which emerged in 2019. Many researchers believe that core members of the REvil group joined BlackCat after REvil’s infrastructure was disrupted by law enforcement in 2021.
BlackCat uses the Ransomware-as-a-Service (RaaS) model like REvil, allowing independent affiliates to deploy the ransomware. However, BlackCat offers affiliates a larger share of profits (80-90%) compared to the typical 70% split for most RaaS operations. This generous revenue sharing likely helps BlackCat recruit skilled affiliates from other ransomware groups.
The BlackCat ransomware code also shares similarities with REvil and DarkSide, suggesting code reuse and collaboration between the groups. Overall, BlackCat has strong connections to major ransomware operations indicating an experienced criminal organization behind the group.
Tactics
BlackCat typically infiltrates networks through tactics like phishing emails containing malicious attachments or links. Once inside the network, they use tools like Cobalt Strike and Sliver to move laterally and escalate privileges to gain full control [1].
After gaining access, BlackCat deploys ransomware like BitLocker or their own “BlackCat” ransomware to encrypt files across the network. They exfiltrate data beforehand to use as leverage in ransom negotiations [2]. Their ransomware utilizes robust encryption algorithms to lock down files, making decryption without the key virtually impossible.
BlackCat often lurks within networks for weeks or months, gathering intelligence and ensuring maximum impact before deploying ransomware. Their operations require extensive planning and patience to infiltrate deep into target networks undetected.
Attribution
There is substantial evidence linking BlackCat ransomware to Russia. According to a CI Security report, BlackCat uses the Russian language in ransom notes and negotiations. Victimology also indicates a primary focus on Western countries, avoiding targets in former Soviet states. While BlackCat initially used the Russian hosting service Selectel, they have since moved infrastructure to Romania and Germany to avoid associations with Russia.
Researchers at Microsoft have identified overlaps in tactics, techniques, and procedures between BlackCat and previous Russia-linked ransomware groups like REvil and GandCrab. This suggests BlackCat may be a rebranding or continuation of earlier operations. The group is highly calculated, flexible, and adept at avoiding attribution. However, the preponderance of evidence indicates BlackCat originates from and is based in Russia, albeit with an international infrastructure footprint.
Impact
BlackCat ransomware attacks have had a significant financial impact on victim organizations. According to cybersecurity firm AdvIntel, BlackCat ransom demands observed in 2022 have ranged from $40,000 to $14 million, with an average demand of around $2.6 million [1]. They estimate that BlackCat has already extorted over $13 million from organizations globally.
One of the largest known BlackCat ransoms was paid by the agricultural equipment maker AGCO, which disclosed a $40 million loss related to a BlackCat attack in early 2022 [1]. Other major victims include the insurance provider CNA Financial, which suffered an estimated $40-60 million impact from a 2021 attack.
Overall, BlackCat’s combination of targeted ransomware attacks on large organizations and demands of millions of dollars per incident have added up to tremendous financial damages so far. As the group continues to operate, the overall economic impact is expected to grow.
Defense
Organizations can take several steps to protect themselves from BlackCat ransomware attacks. According to Microsoft, enabling multi-factor authentication, restricting admin privileges, and keeping systems patched and up-to-date can help prevent initial access by attackers (Microsoft). Segmenting networks and creating offline backups can also limit damage in the event of an attack. Sophos recommends proactively hunting for signs of BlackCat, such as Cobalt Strike beacons, to catch threats early on (Sophos). Ongoing security awareness training can help employees identify phishing attempts and other social engineering used to deliver ransomware. Overall, taking a defense-in-depth approach with layers of security controls makes organizations less vulnerable to sophisticated ransomware like BlackCat.
