New BlackCat ransomware | Kaspersky official blog
Credit to Author: Hugh Aver| Date: Fri, 15 Apr 2022 18:41:29 +0000
No market tolerates emptiness and that applies to ransomware too. After the BlackMatter and REvil gangs ceased their operations, the emergence of new players was a matter of time. And here is one of them — last December advertisements for the services of the ALPHV group, also known as BlackCat, appeared on hacker forums. After several incidents, our experts from the Global Research and Analysis Team (GReAT) decided to carefully study the activity of this group and publish a comprehensive report on the Securelist website.
In the ads the attackers mentioned that they studied the errors and problems of their predecessors and created an improved version of the malware. However, there are signs that their connection to BlackMatter and REvil groups may be much more intimate than they are trying to show.
Who are the BlackCat gang and what tools does they use?
The BlackCat ransomware creators offer their services under the Ransomware-as-a-Service (RaaS) scheme. In other words, they provide other attackers with access to their infrastructure and malicious code and in return they get certain share of the ransom. In addition to that, the BlackCar gang members are probably also responsible for the negotiations with the victims. Therefore the only thing that their “franchisee” have to do themselves is to gain access to the corporate environment. This we-got-everything-covered principle is the reason why BlackCat gained momentum so quickly: their malware is already used to attack companies around the world.
BlackCat arsenal consists of several items. First one is the cyrptor of the same name. It is written in the Rust language, thanks to which the attackers managed to create a cross-platform tool: there are versions of the malware that works both in Windows and in Linux environments.
Second one is the Fendr utility, which is used to exfiltrate data from infected infrastructure. The use of this tool suggests that BlackCat may simply be a rebranding of the BlackMatter faction — they were the only known gang to use this tool, which is also known as ExMatter.
BlackCat also employs the PsExec tool for lateral movement in the victim’s network; Mimikatz, the well-known hacker software and Nirsoft software to extract network passwords.
You can find more technical information about BlackCat’s methods and tools as well as the indicators of compromise on Securelist blog.
Who are the victims of BlackCat?
Among the BlackCat ransomware incidents, our experts saw at least one attack on a South American industrial company involved in oil, gas, mining and construction, as well as the infection of several clients of a Middle Eastern ERP provider (an organization that provides enterprise resource planning tools).
One of the most disturbing facts is the evolution of the Fendr. At the moment the tool can automatically download a much wider range of files, compared to previous cases of BlackMatter group attacks. Cybercriminals recently added the ability to find files with the following list of extensions: .sqlite, .catproduct, .rdp, .accdb, .catpart, .catdrawing, .3ds, .dwt and .dxf. These types of files are related to industrial design applications and remote access tools, and that may be the sign that malware creators are targeting industrial environments.
How to stay safe?
In order to prevent your company from losing important information, we recommend first to protect all corporate devices using reliable security solutions, and second to train employees on information security basics regularly.
With ransomware-as-a-service on the continuing rise, it is more important than ever for any company to be prepared for the incident and have a multi-level anti-ransomware strategy.