The ransomware known as BlackCat, also known as Alphv ransomware, has been used by members of the Alphv group since November 2021.
Over the past few years, BlackCat has demonstrated a clear upward trajectory in its operations. Their latest attacks include harming organizations in the health, education, electricity and natural gas sectors.
B flash In a report published by the FBI in April 2022, they reveal that BlackCat/ALPHV Ransomware as a Service (RaaS) had compromised at least 60 entities worldwide by the end of March 2022.
How do they work?
BlackCat is written in Rust, which is considered a secure programming language, and supports Windows and Linux-based systems including Debian and Ubuntu.
The BlackCat ransomware gang exploits previously compromised user credentials as a means to gain initial access to the targeted system. They use the Windows Task Scheduler to configure malicious Group Policy Objects to deploy ransomware and steal victims’ data before executing it.
MITER ATT&CK tactics and techniques observed across recent cases involving the BlackCat Ransomware group
initial approach
Although evidence of the initial access vector may not always be accessible, the earliest signs of compromise strongly suggest that the threat actors used valid credentials.
access to tokens
BlackCat has the ability to change access tokens
Command and Script Interpreter: The Windows command shell
It can execute commands on a compromised network with the use of cmd.exe.
Change the registry
It has the ability to add the following registry key on compromised networks to maintain persistence: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices LanmanServerParamenters
System owner/user disclosure
It can use net use commands to find out the username on the compromised host.
Windows management tools
Uses wmic.exe to delete shadow copies on compromised networks.
What are the indicators of compromise (IOC)?
Pipe
\.pipe__rust_anonymous_pipe1__.<מזהה תהליך>.<מספר אקראי>
BlackCat ransom note
RECOVER-uhwuvzu-FILES.txt
Files have been created
barriers-<שם קובץ>.uhwuvzu
RECOVER-uhwuvzu-FILES.txt.png
gave birth to processes
cmd.exe /c “wmic csproduct get UUID”
cmd.exe /c “fsutil behavior set SymlinkEvaluation R2L:1”
cmd.exe /c “fsutil behavior set SymlinkEvaluation R2R:1”
cmd.exe /c “iisreset.exe /stop”
cmd.exe /c “vssadmin.exe delete the shadows /all /quiet”
cmd.exe /c “wmic.exe Shadowcopy Delete”
cmd.exe /c “bcdedit /set {default}”
cmd.exe /c “bcdedit /set {default} recovery enabled no”
cmd.exe /c for /F “tokens=*” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl %1
cmd.exe /c “reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters /v MaxMpxCt /d 65535 /t REG_DWORD /f”
cmd.exe /c “arp -a”
BlackCat has released a new version of ransomware
sphinx It differs from the previous versions in considerable ways, for example, the configuration data is no longer in JSON format, but raw structures, and the process of interacting with the network has also been completely redesigned.
The code, including encryption, was rewritten from scratch. By default, all files are frozen. The main priority of this update was to optimize detection by AV/EDR
How can Heimdal™ help?
to fight RansomHeimdal™ Security offers its customers an exceptional integrated cyber security package that includes the Ransomware encryption protection Module. This module is universally compatible with any antivirus solution and works without relying on signatures, ensuring exceptional detection and remediation of all forms of ransomware, whether fileless or file-based.
If you liked this article, follow us LinkedIn, Twitter, Facebook, YouTubeand Instagram For more news and topics on cyber security.
Disable ransomware before it can do damage.
Heimdal™ Ransomware Encryption Protection
Designed specifically to address the number one security risk for any business – ransomware.
- Blocks any unauthorized encryption attempts;
- Identifies ransomware regardless of signature;
- universal compatibility with any cyber security solution;
- Full review track with amazing graphics;
