Who is behind BlackCat ransomware?

by
Who is behind BlackCat ransomware

BlackCat ransomware, also known as ALPHV, first appeared in November 2021 and has quickly become one of the most prolific and disruptive ransomware strains. BlackCat operates as Ransomware-as-a-Service (RaaS), meaning affiliates conduct attacks and share profits with the core developers. BlackCat has already targeted dozens of organizations worldwide, encrypting files and demanding huge ransoms to decrypt them.

What is BlackCat ransomware?

BlackCat is a form of malware that encrypts an organization’s files and renders them inaccessible until a ransom is paid. It is a variant of the DarkSide ransomware that was used in the Colonial Pipeline attack in 2021. Like other ransomware, BlackCat spreads through phishing emails, unpatched software vulnerabilities, and other vectors to gain access to corporate networks.

Once inside, BlackCat seeks out and encrypts valuable data files across the network. It deletes backups and disables security tools to make recovery more difficult. The ransomware leaves a ransom note with instructions for contacting the threat actors to negotiate payment. Demands are usually in cryptocurrency and can range from hundreds of thousands to millions of dollars.

BlackCat is considered “double extortion” because the criminals also threaten to publish exfiltrated data on leak sites if the ransom isn’t paid. This extra pressure encourages victims to pay up quickly before sensitive documents are leaked online.

BlackCat’s capabilities

  • Encrypts hundreds of different file types on Windows and Linux systems
  • Utilizes robust encryption algorithms, including RSA-2048, AES-256, etc.
  • Disables over 90 different security processes and tools
  • Spreads rapidly across networks by exploiting vulnerabilities
  • Exfiltrates data prior to encryption for double extortion
  • Threat actors communicate via TOR sites to arrange ransom payments

Who created BlackCat?

BlackCat is the work of experienced, high-level cybercriminals likely based in Eastern Europe or Russia. Specific individuals are unknown due to the nature of ransomware gangs:

  • Core developers create the ransomware payload and manage operations.
  • Affiliates compromise networks and deploy the ransomware code.
  • “Cash-out” specialists launder cryptocurrency ransom payments.
  • All participants use hacker aliases and cybersecurity tools to hide identities.

Experts assess BlackCat was created by core members of the defunct DarkSide ransomware gang. DarkSide shut down after the Colonial Pipeline attack drew law enforcement pressure. The developers simply rebranded their malware as “BlackCat” and resumed criminal activity.

Ties between BlackCat and DarkSide

  • BlackCat emerged just weeks after DarkSide closed up shop.
  • Both are Ransomware-as-a-Service (RaaS) platforms.
  • Very similar code, encryption methods, and victim targeting.
  • BlackCat ransom notes reference DarkSide in early attacks.
  • Use similar methods for affiliates to submit victim data and negotiate ransoms.

DarkSide itself was an offshoot of another prolific ransomware strain called REvil. It’s common for threat actors to rebrand and spin off new operations from existing cybercrime groups.

How does BlackCat operate?

BlackCat operates according to the Ransomware-as-a-Service model which delegates tasks across various groups:

Developers

  • Design advanced ransomware payloads tailored for specific victims
  • Operate the leak sites and ransom payment infrastructure
  • Recruit experienced affiliates to join the program
  • Provide encryption tools, backdoors, credential stealers to affiliates

Affiliates

  • Gain access to corporate networks through phishing, exploits, stolen VPN credentials etc.
  • Perform reconnaissance and identify high-value data to target
  • Deploy ransomware payloads across entire networks
  • Negotiate ransom payments directly with victims

Money Launderers

  • Manage cryptocurrency wallets to receive ransom payments
  • Obfuscate transactions through mixers and exchanges
  • Cash out cryptocurrency into hard currency
  • Take a cut and forward remaining profits to developers and affiliates

This division of duties enables extensive targeting while protecting the core developers. Affiliates take the biggest risks infiltrating networks and deploying the malware. Cryptocurrency enables anonymous ransom payments that are difficult for law enforcement to track.

Who does BlackCat target?

BlackCat exhibits extremely sophisticated operational security and mainly targets large corporations with ample resources to pay ransoms. Victims include:

  • Critical infrastructure like power plants, gas providers, water utilities
  • Industrial manufacturers, technology companies
  • Logistics and transportation providers
  • HR, payroll, accounting, legal firms
  • Hospitals, pharmaceutical companies, medical labs
  • Insurance, real estate firms
  • Oil and gas companies

Any organization with sensitive data and the financial means to pay 5-10 million dollar ransoms is a potential target. The gang is highly selective about victims and extensively researches networks before deploying ransomware. Botnets, email security gaps, and weak VPNs provide access vectors.

Notable BlackCat attacks

Some high-profile organizations hit by BlackCat ransomware so far include:

Continental AG – Automotive Manufacturer

  • German automotive parts supplier compromised in August 2022
  • Forced to shutdown plants impacting Toyota, Jaguar Land Rover
  • Estimated damages over $200 million from lost revenues
  • Files related to R&D, software code were encrypted
  • Company stated it would not pay the ransom

MediaMarkt – Electronics Retailer

  • Europe’s largest retailer of consumer electronics
  • BlackCat attack encrypted servers in Netherlands in July 2022
  • POS systems disrupted, many stores unable to process payments
  • Threat actors demanded $240 million ransom in Monero
  • No evidence MediaMarkt paid, but costs to rebuild IT systems expected to be high

Axel Springer – Publishing Company

  • Major German publishing company hit in December 2021
  • Encrypted systems rendered editorial systems inaccessible
  • Employees told to work from paper until restored from backups
  • Experts estimated attack cost company upwards of $100 million

Dozens of other major corporations worldwide have also been impacted by BlackCat attacks. Targets span at least 15 countries across North and South America, Europe, Middle East, and Asia.

How much does BlackCat ransomware cost victims?

BlackCat threat actors tailor ransom demands based on the victim’s size and ability to pay. Reported demands range from a few hundred thousand dollars up to $14 million. A few examples of known ransoms:

Victim Ransom Demand
Continental AG $50 million
MediaMarkt $240 million
Singapore’s Urban Redevelopment Authority $3 million
Irish Health Service Executive $20 million

In addition to the ransom, victims face costs from business outages, rebuilding networks, lost revenues, and mitigation efforts. For example, the Ireland attack caused over $600 million in total damages beyond the $20 million ransom.

Many victims opt to pay the ransom to regain access quickly rather than endure a prolonged outage. BlackCat claims to have received over $150 million in ransom payments between late 2021 and mid 2022.

Ransomware profits fuel more crime

Huge ransom payouts enable BlackCat developers to refine code, recruit more affiliates, and ultimately launch more frequent, disruptive attacks worldwide. Global losses from ransomware could exceed $265 billion by 2031 as the criminal business model continues to prove extremely lucrative.

Is BlackCat ransomware contagious?

BlackCat does not self-replicate like viruses or worms. However, once inside a network, affiliates actively work to increase the scope of encryption across systems. Initial access via phishing or a vulnerability provides a foothold to then:

  • Steal credentials and move laterally across the network
  • Compromise critical servers like Active Directory, DNS, etc.
  • Deploy ransomware payloads to all connected endpoints

So while BlackCat itself is not contagious, the methods affiliates use to traverse networks and deploy the ransomware enables it to infect large numbers of systems at speed. Entire corporations can be brought down in hours before defenses are able to react.

Minimizing spread of infection

Organizations can take technical and administrative steps to hamper the ability of BlackCat to propagate across their networks:

  • Segment networks and restrict excessive user permissions
  • Promptly patch software vulnerabilities
  • Deploy endpoint and network monitoring tools
  • Back up critical data regularly
  • Develop incident response plans for ransomware
  • Educate staff to identify potential phishing attempts

Is it possible to decrypt BlackCat ransomware?

BlackCat utilizes robust and widely trusted encryption algorithms, including:

  • RSA-2048, RSA-4096 for asymmetric encryption of the AES keys
  • AES-256 to encrypt files and data

Combined with long random encryption keys, cryptanalysis to break these algorithms is not considered feasible using current computing capabilities. That leaves organizations with three options:

1. Restore from backups

If unencrypted backups are available, systems and data can be restored to undo the damage. But BlackCat often deletes or encrypts accessible backups as part of an attack.

2. Rebuild systems

Critical systems may need to be rebuilt from scratch and software reinstalled. Data that was properly backed up externally can then be reloaded.

3. Pay the ransom

Providing threat actors with the ransom payment in cryptocurrency will result in them supplying the decryption key. But risks around rewarding criminal behavior means this is considered an absolute last resort.

Should you pay the BlackCat ransom?

Paying BlackCat continues the cycle of funding criminal operations but may be necessary to resume business functions. Considerations include:

  • Can lost data and systems be restored from backups?
  • What are the impacts of prolonged downtime on revenues?
  • Will threat actors honor agreement and provide working decryption tools?
  • Does paying encourage future attacks on your organization?

If opting to pay, negotiate the lowest amount possible. Consult law enforcement and cyber insurance providers for guidance throughout the process. Some best practices if paying include:

  • Isolate and document the infected systems
  • Demand threat actors prove access to decryption key
  • Use legal ransomware payment services as intermediaries

Beware risks of paying ransom

Paying the ransom does not guarantee restored access or that sensitive stolen data won’t still be leaked. BlackCat leak sites have exposed victim documents even after ransom was paid. Other risks include:

  • Ongoing extortion demands for more money
  • No support provided to use decryption tools
  • Permanent loss of data if tools fail
  • Reputational damage and future attacks

How can BlackCat ransomware be stopped?

Eliminating the global ransomware threat requires concerted efforts across governments, law enforcement, cybersecurity vendors, and organizations:

  • Improved defenses – Network segmentation, proactive threat hunting, user education
  • Partnerships – Information sharing on tactics between public and private sectors
  • Regulation – Governments setting cybersecurity standards for industries
  • Deterrence – Arrests and sanctions to discourage cybercrime
  • Disruption – Offensive cyber operations to take down infrastructure
  • Cryptocurrency reform – Increased regulation around ransomware payments

For organizations, action starts with assessing your own defenses and risks. Steps that can minimize the business impact of BlackCat and other ransomware include:

Before an attack

  • Network segmentation and least privilege access
  • Vulnerability management and patching
  • Multi-factor authentication
  • Email security and staff phishing awareness
  • Next-gen antivirus, firewalls, intrusion detection
  • Backups stored offline and immutable
  • Incident response planning and drills

During an attack

  • Disconnect infected systems from network
  • Determine scope of compromise
  • Notify senior leadership, legal counsel, and cyber insurance
  • Contact law enforcement and CISA to report incident
  • Begin recovery and business continuity procedures

Leverage managed security providers and IT professionals for education, planning, and 24/7 response capabilities. Cyber resilience requires vigilance before, during, and after an attack.

Conclusion

BlackCat has quickly emerged as one of the most aggressive and lucrative ransomware operations. Its developers have proven they can disrupt major corporations at scale. By continuously refining tactics, recruiting skilled affiliates, and demanding enormous ransoms, BlackCat seems likely to remain highly active.

Organizations globally need to implement comprehensive defenses and staff education to detect and contain ransomware infections early. Law enforcement cooperation and regulations focused on cryptocurrency payments are also essential to curb the ransomware business model. With billions of dollars in potential profits, BlackCat and similar threat actors will remain tenacious and innovative.