BlackCat — new player in the ransomware business

Our experts investigated the activity and studied tools of ransomware gang BlackCat.

New BlackCat ransomware

No market tolerates emptiness and that alos applies to ransomware. After the BlackMatter and REvil gangs ceased their operations, the emergence of new players was only a matter of time. And here is one of them — last December, advertisements for the services of the ALPHV group, also known as BlackCat, appeared on hacker forums. After several incidents, our experts from the Global Research and Analysis Team (GReAT) decided to carefully study the activity of this group and publish a comprehensive report on the Securelist website.

In the ads, the attackers mentioned that they studied the errors and problems of their predecessors and created an improved version of the malware. However, there are signs that their connection to BlackMatter and REvil groups may be much more intimate than they are trying to show.

Who is the BlackCat gang and what tools does they use?

The BlackCat ransomware creators offer their services under the Ransomware-as-a-Service (RaaS) scheme. In other words, they provide other attackers with access to their infrastructure and malicious code and in return they get certain share of the ransom. In addition to that, the BlackCat gang members are probably also responsible for the negotiations with the victims. Therefore the only thing that their “franchisee” would have to do themselves is to gain access to the corporate environment. This “we’ve got everything covered” principle is the reason why BlackCat gained momentum so quickly: their malware is already used to attack companies around the world.

BlackCat arsenal consists of several items. First is the cyrptor of the same name. It is written in the Rust language, thanks to which the attackers managed to create a cross-platform tool with versions of the malware that works both in Windows and Linux environments.

Second is the Fendr utility, which is used to exfiltrate data from infected infrastructure. The use of this tool suggests that BlackCat may simply be a rebranding of the BlackMatter faction — they were the only known gang to use this tool, which is also known as ExMatter.

BlackCat also employs the PsExec tool for lateral movement in the victim’s network; Mimikatz, the well-known hacker software, and Nirsoft software to extract network passwords.

You can find more technical information about BlackCat’s methods and tools as well as the indicators of compromise in this Securelist blog.

Who are the victims of BlackCat?

Among the BlackCat ransomware incidents, our experts saw at least one attack on a South American industrial company involved in oil, gas, mining and construction, as well as the infection of several clients of a Middle Eastern enterprise resource planning provider.

One of the most disturbing facts is the evolution of Fendr. At the moment the tool can automatically download a much wider range of files, compared to previous cases of BlackMatter group attacks. Cybercriminals recently added the ability to find files with the following list of extensions: .sqlite, .catproduct, .rdp, .accdb, .catpart, .catdrawing, .3ds, .dwt and .dxf. These types of files are related to industrial design applications and remote access tools, and that may be the sign that malware creators are targeting industrial environments.

How to stay safe?

In order to prevent your company from losing important information, we recommend first to protect all corporate devices using reliable security solutions, and second, to train employees on information security basics regularly.

With ransomware-as-a-service on the continuing rise, it is more important than ever for any company to be prepared for the incident and have a multi-level anti-ransomware strategy.