BlackCat Malware. Details have emerged about what's the first Rust-language-based ransomware strain spotted in the wild that has alread...
 |
| BlackCat Malware. |
The ransomware, dubbed BlackCat, was disclosed by MalwareHunterTeam. "Victims can pay with Bitcoin or Monero," the researchers said in a series of tweets detailing the file-encrypting malware. "Also looks they are giving credentials to intermediaries" for negotiations.
The ALPHV BlackCat malware has a number of innovative characteristics that distinguish it from other ransomware operations. The ransomware is completely command-line driven, human-operated, and extremely programmable, with the ability to employ various encryption techniques, propagate across systems, terminate virtual machines and ESXi VMs, and automatically erase ESXi snapshots to prevent recovery.
Each ALPHV ransomware executable contains a JSON configuration file that enables for the customization of extensions, ransom notes, how data will be encrypted, prohibited folders/files/extensions, and the services and processes that will be automatically terminated.
When starting the ransomware, the affiliate can utilize a console-based user interface to track the attack’s progress. ALPHV BlackCat also employs the Windows Restart Manager API to terminate processes or shut down Windows services while keeping a file open for encryption.
When encrypting a device, ransomware will often utilize a random name extension, which is applied to all files and included in the ransom message. The ransom messages are pre-configured by the affiliate carrying out the operation and are unique to each victim. Some ransom notes include information about the categories of data stolen as well as a link to a Tor data leak site where victims may examine stolen material.
Each victim also has a distinct Tor site and, in some cases, a distinct data leak site, allowing the affiliate to conduct their own negotiations. Finally, BlackCat promises to be cross-platform, supporting a variety of operating systems.
BlackCat, akin to many other variants that have sprung before it, operates as a ransomware-as-a-service (RaaS), wherein the core developers recruit affiliates to breach corporate environments and encrypt files, but not before stealing the said documents in a double extortion scheme to pressure the targets into paying the requested amount or risk exposure of the stolen data should the companies refuse to pay up.
While it's typical of ransomware groups to go underground, regroup, and resurface under a new name, the researchers cautioned against calling BlackCat a BlackMatter rebrand, citing differences in the programming language used (Rust vs. C++), the myriad execution options, and the dark web infrastructure maintained by the actor.
BlackCat, starting December 4, 2021, has been advertised on Russian-language underground markets like XSS and Exploit under the username "alphv" and as "ransom" on the RAMP forum in a bid to recruit other participants, including penetration testers, and join what it called "the next generation of ransomware."
The ransomware actor is also said to be operating five onion domains, three of which function as the group's negotiation site, with the rest categorized as an "Alphv" public leak site and a private leak site. Only two victims have been identified so far, suggesting that the nascent ransomware is being actively deployed against companies in real-world attacks.
Rust is also gaining traction for its ability to achieve high-performance compared to that of languages such as C and C++, while simultaneously offering memory safety guarantees that could be leveraged to create malware that's less susceptible to exploitation and render them powerless.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.