Background
In our PolySwarm 2021 Year in Review, we made several predictions for this year, including that BlackCat ransomware would become more prevalent, due to its sophistication. BlackCat ransomware is ransomware as a service (RaaS), which was recently linked to the
BlackMatter/DarkSide ransomware gang in a report by Cisco Talos.
What is BlackCat?
BlackCat, also known as ALPHV, was first observed in late 2021. BlackCat is a RaaS that includes a highly-customizable feature set, allowing for attacks on a wide range of targets. BlackCat is written in Rust, a language seldom used by ransomware developers, and can infect both Windows and Linux machines. The ransomware is being promoted on Russian language hacking forums.
BlackCat attacks have occurred in the US, Europe, the Philippines, and other regions. Verticals targeted include construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components, and pharmaceuticals. Palo Alto’s Unit 42 noted several reasons for the growing popularity of BlackCat. First, the group has been effective in marketing to its affiliates, and affiliates receive a generous share of ransom payments. Second, the malware is perhaps the first ransomware written in Rust. Developers can easily change the code to pivot and individualize attacks. Third, the threat actors behind BlackCat use double and triple extortion tactics, charging a ransom to decrypt files and threatening to disclose files or engage in DDoS attacks if the ransom is not paid.
Industry researchers have speculated a connection between BlackCat and the BlackMatter/DarkSide ransomware gang, who attacked Colonial Pipeline last year. Researchers at Cisco Talos provided a comparison of BlackCat and BlackMatter attacks they observed. They noted a domain and IP address associated with BlackCat was previously used as a C2 in a BlackMatter attack. At this time, the initial infection vector used in the BlackCat attacks analyzed by Cisco Talos is unknown. However, in a BlackMatter attack they analyzed, the threat actors likely established initial access by exploiting Microsoft Exchange vulnerabilities.
Cisco Talos also noted other commonalities in BlackCat and BlackMatter TTPs:
- Both ransomware families use reverse SSH tunnels and scheduled tasks to maintain persistence
- Both use LSASS for credential access
- Both use lmpacket, RDP, and psexec for command and control
An individual associated with BlackCat said the group is not a rebranding of BlackMatter, but its team members are affiliated with other RaaS groups. However, another individual associated with the LockBit gang said BlackCat is a rebrand of DarkSide/BlackMatter, and researchers at CyberReason found commonalities and shared infrastructure between BlackCat and LockBit.
IOCs
PolySwarm has multiple samples of BlackCat. A selection of IOCs for these samples is found below.
c5ad3534e1c939661b71f56144d19ff36e9ea365fdb47e4f8e2d267c39376486
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40
152d0f3fc21fd22affa6012a4b7005e01c5748302a89df7b267cf0f96f61f2f0
cda37b13d1fdee1b4262b5a6146a35d8fc88fa572e55437a47a950037cc65d40
1af1ca666e48afc933e2eda0ae1d6e88ebd23d27c54fd1d882161fd8c70b678e
9802a1e8fb425ac3a7c0a7fca5a17cfcb7f3f5f0962deb29e3982f0bece95e26
13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
f7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083
3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1
15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
28d7e6fe31dc00f82cb032ba29aad6429837ba5efb83c2ce4d31d565896e1169
bd337d4e83ab1c2cacb43e4569f977d188f1bb7c7a077026304bf186d49d4117
4e18f9293a6a72d5d42dad179b532407f45663098f959ea552ae43dbb9725cbf
f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6
5121f08cf8614a65d7a86c2f462c0694c132e2877a7f54ab7fcefd7ee5235a42
You can use the following CLI command to search for all xx samples in our portal:
$ polyswarm link list -f BlackCat
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
