MA-921.042023: MyCERT Advisory - BlackCat Ransomware
MyCERT has observed an increase in ransomware-related attacks, including those executed by ransomware known as BlackCat/ALPHV. This ransomware variant was identified through FBI investigations. BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered a more secure programming language with improved performance and reliable concurrent processing. BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. Many developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.
The malicious actors’ use of Rust to deliver the ransomware payload sets the stage for its encryption routine. The ransomware binary defaces the system’s background images. It replaces it with one containing a notification that important files have been downloaded and encrypted, plus information on where additional instructions can be found. Sample ransom note is as below:
Figure 1: Sample ransom note of the BlackCat ransomware binary.
- The payload also terminates specific services related to backups, antivirus applications, databases, Windows internet services, and ESXi virtual machines (VMs).
- In addition, a new variant of the BlackCat ransomware binary restarts the affected system to safe mode before proceeding to its encryption routine. It also disables system recovery and deletes volume shadow copies to inhibit the recovery of the affected systems.
3.0 Affected Products
- Windows 7 and higher (7, 8.1, 10,11; 2008r2, 2012, 2016, 2019, 2022).
- Windows XP and 2003.
- VMware ESXi
- Debian and Ubuntu Linux
- ReadyNAS, Synology, QNAP
4.0 Technical Details
BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim’s system. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial malware deployment leverages PowerShell scripts in conjunction with Cobalt Strike and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise.
BlackCat/ALPHV steals victim data before the execution of the ransomware, including from cloud providers where company or client data was stored.
The actors leverage Windows scripting to deploy ransomware and to compromise additional hosts. For example, the following batch and PowerShell scripts were observed:
- start.bat - launches the ransomware executable with the required arguments.
- est.bat - copies the ransomware to other locations.
- drag-and-drop-target.bat - launches the ransomware executable for the MySQL Server.
- run.bat - executes a callout command to and external server using SSH – file names may change depending on the company and systems affected.
- Runsl.psl - PowerShell scripts to disable AV.
5.0 Indicators of Compromise
The following are characteristics of compromise by BlackCat/ALPHV, as mid-February 2022: