The BlackCat ransomware, also referred to as ALPHV, is a prevalent risk and a major instance of the rising ransomware-as-a-service (RaaS) gig financial system. It’s noteworthy as a result of its unconventional programming language (Rust), a number of goal units and potential entry factors, and affiliation with prolific risk exercise teams. Whereas BlackCat’s arrival and execution range primarily based on the actors deploying it, the result is identical—goal knowledge is encrypted, exfiltrated, and used for “double extortion,” the place attackers threaten to launch the stolen knowledge to the general public if the ransom isn’t paid.
First noticed in November 2021, BlackCat initially made headlines as a result of it was one of many first ransomware households written within the Rust programming language. By utilizing a contemporary language for its payload, this ransomware makes an attempt to evade detection, particularly by standard safety options which may nonetheless be catching up of their capacity to research and parse binaries written in such language. BlackCat can even goal a number of units and working methods. Microsoft has noticed profitable assaults towards Home windows and Linux units and VMWare situations.
As we beforehand defined, the RaaS affiliate mannequin consists of a number of gamers: entry brokers, who compromise networks and keep persistence; RaaS operators, who develop instruments; and RaaS associates, who carry out different actions like transferring laterally throughout the community and exfiltrating knowledge earlier than in the end launching the ransomware payload. Thus, as a RaaS payload, how BlackCat enters a goal group’s community varies, relying on the RaaS affiliate that deploys it. For instance, whereas the frequent entry vectors for these risk actors embody distant desktop purposes and compromised credentials, we additionally noticed a risk actor leverage Change server vulnerabilities to achieve goal community entry. As well as, not less than two recognized associates at the moment are adopting BlackCat: DEV-0237 (recognized for beforehand deploying Ryuk, Conti, and Hive) and DEV-0504 (beforehand deployed Ryuk, REvil, BlackMatter, and Conti).
Such variations and adoptions markedly enhance a corporation’s threat of encountering BlackCat and pose challenges in detecting and defending towards it as a result of these actors and teams have completely different techniques, strategies, and procedures (TTPs). Thus, no two BlackCat “lives” or deployments may look the identical. Certainly, primarily based on Microsoft risk knowledge, the influence of this ransomware has been famous in varied international locations and areas in Africa, the Americas, Asia, and Europe.
Human-operated ransomware assaults like people who deploy BlackCat proceed to evolve and stay one of many attackers’ most well-liked strategies to monetize their assaults. Organizations ought to think about complementing their safety finest practices and insurance policies with a complete resolution like Microsoft 365 Defender, which gives safety capabilities that correlate varied risk alerts to detect and block such assaults and their follow-on actions.
On this weblog, we offer particulars in regards to the ransomware’s strategies and capabilities. We additionally take a deep dive into two incidents we’ve noticed the place BlackCat was deployed, in addition to further details about the risk exercise teams that now ship it. Lastly, we provide finest practices and suggestions to assist defenders shield their organizations towards this risk, together with searching queries and product-specific mitigations.
BlackCat’s anatomy: Payload capabilities
As talked about earlier, BlackCat is without doubt one of the first ransomware written within the Rust programming language. Its use of a contemporary language exemplifies a latest pattern the place risk actors change to languages like Rust or Go for his or her payloads of their try to not solely keep away from detection by standard safety options but additionally to problem defenders who could also be making an attempt to reverse engineer the mentioned payloads or evaluate them to related threats.
BlackCat can goal and encrypt Home windows and Linux units and VMWare situations. It has in depth capabilities, together with self-propagation configurable by an affiliate for his or her utilization and to atmosphere encountered.
Within the situations we’ve noticed the place the BlackCat payload didn’t have administrator privileges, the payload was launched by way of dllhost.exe, which then launched the next instructions beneath (Desk 1) by way of cmd.exe. These instructions may range, because the BlackCat payload permits associates to customise execution to the atmosphere.
The flags utilized by the attackers and the choices accessible have been the next: -s -d -f -c; –access-token; –propagated; -no-prop-servers
| Command | Description |
| [service name] /cease | Stops working companies to permit encryption of knowledge |
| vssadmin.exe Delete Shadows /all /quiet | Deletes backups to stop restoration |
| wmic.exe Shadowcopy Delete | Deletes shadow copies |
| wmic csproduct get UUID | Will get the Universally Distinctive Identifier (UUID) of the goal system |
| reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices LanmanServerParameters /v MaxMpxCt /d 65535 /t REG_DWORD /f | Modifies the registry to alter MaxMpxCt settings; BlackCat does this to extend the variety of excellent requests allowed (for instance, SMB requests when distributing ransomware by way of its PsExec methodology) |
| for /F ”tokens=*” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl ”%1” | Clears occasion logs |
| fsutil habits set SymlinkEvaluation R2L:1 | Permits remote-to-local symbolic hyperlinks; a symbolic hyperlink is a file-system object (for instance, a file or folder) that factors to a different file system object, like a shortcut in some ways however extra highly effective |
| fsutil habits set SymlinkEvaluation R2R:1 | Permits remote-to-remote symbolic hyperlinks |
| web use [computer name] /consumer:[domain][user] [password] /persistent:no | Mounts community share |
Consumer account management (UAC) bypass
BlackCat can bypass UAC, which implies the payload will efficiently run even when it runs from a non-administrator context. If the ransomware isn’t run with administrative privileges, it runs a secondary course of beneath dllhost.exe with ample permissions wanted to encrypt the utmost variety of information on the system.
Area and system enumeration
The ransomware can decide the pc identify of the given system, native drives on a tool, and the AD area identify and username on a tool. The malware can even establish whether or not a consumer has area admin privileges, thus rising its functionality of ransoming extra units.
Self-propagation
BlackCat discovers all servers which might be linked to a community. The method first broadcasts NetBIOS Title Service (NBNC) messages to verify for these further units. The ransomware then makes an attempt to copy itself on the answering servers utilizing the credentials specified inside the config by way of PsExec.
Hampering restoration efforts
BlackCat has quite a few strategies to make restoration efforts tougher. The next are instructions that could be launched by the payload, in addition to their functions:
- Modify boot loader
- “C:Windowssystem32cmd.exe” /c “bcdedit /set default”
- “C:Windowssystem32cmd.exe” /c “bcdedit /set default recoveryenabled No”
- Delete quantity shadow copies
- “C:Windowssystem32cmd.exe” /c “vssadmin.exe Delete Shadows /all /quiet”
- “C:Windowssystem32cmd.exe” /c “wmic.exe Shadowcopy Delete”
- Clear Home windows occasion logs
- “C:Windowssystem32cmd.exe” /c “cmd.exe /c for /F ”tokens=*” Incorrect perform. in (‘ wevtutil.exe el ‘) DO wevtutil.exe cl ”Incorrect perform. ””
Slinking its approach in: Figuring out assaults that may result in BlackCat ransomware
According to the RaaS mannequin, risk actors make the most of BlackCat as an extra payload to their ongoing campaigns. Whereas their TTPs stay largely the identical (for instance, utilizing instruments like Mimikatz and PsExec to deploy the ransomware payload), BlackCat-related compromises have various entry vectors, relying on the ransomware affiliate conducting the assault. Subsequently, the pre-ransom steps of those assaults will also be markedly completely different.
For instance, our analysis famous that one affiliate that deployed BlackCat leveraged unpatched Change servers or used stolen credentials to entry goal networks. The next sections element the end-to-end assault chains of those two incidents we’ve noticed.
Case research 1: Entry by way of unpatched Change
In a single incident we’ve noticed, attackers took benefit of an unpatched Change server to enter the goal group.
Discovery
Upon exploiting the Change vulnerability, the attackers launched the next discovery instructions to collect details about the system that they had compromised:
- cmd.exe and the instructions ver and systeminfo – to gather working system info
- web.exe – to find out area computer systems, area controllers, and area admins within the atmosphere
After executing these instructions, the attackers navigated via directories and found a passwords folder that granted them entry to account credentials they may use within the subsequent phases of the assault. In addition they used the del command to delete information associated to their preliminary compromise exercise.
The attackers then mounted a community share utilizing web use and the stolen credentials and commenced on the lookout for potential lateral motion targets utilizing a mix of strategies. First, they used WMIC.exe utilizing the beforehand gathered system identify because the node, launched the command whoami /all, and pinged google.com to verify community connectivity. The output of the outcomes have been then written to a .log file on the mounted share. Second, the attackers used PowerShell.exe with the cmdlet Get-ADComputer and a filter to collect the final sign-in occasion.
Lateral motion
Two and a half days later, the attackers signed into one of many goal units they discovered throughout their preliminary discovery efforts utilizing compromised credentials by way of interactive sign-in. They opted for a credential theft method that didn’t require dropping a file like Mimikatz that antivirus merchandise may detect. As an alternative, they opened Taskmgr.exe, created a dump file of the LSASS.exe course of, and saved the file to a ZIP archive.
The attackers continued their earlier discovery efforts utilizing a PowerShell script model of ADRecon (ADRecon.ps1), which is a device designed to collect in depth details about an Energetic Listing (AD) atmosphere. The attacker adopted up this motion with a web scanning device that opened connections to units within the group on server message block (SMB) and distant desktop protocol (RDP). For found units, the attackers tried to navigate to numerous community shares and used the Distant Desktop consumer (mstsc.exe) to signal into these units, as soon as once more utilizing the compromised account credentials.
These behaviors continued for days, with the attackers signing into quite a few units all through the group, dumping credentials, and figuring out what units they may entry.
Assortment and exfiltration
On most of the units the attackers signed into, efforts have been made to gather and exfiltrate in depth quantities of knowledge from the group, together with area settings and knowledge and mental property. To do that, the attackers used each MEGAsync and Rclone, which have been renamed as reliable Home windows course of names (for instance, winlogon.exe, mstsc.exe).
Exfiltration of area info to establish targets for lateral motion
Amassing area info allowed the attackers to progress additional of their assault as a result of the mentioned info may establish potential targets for lateral motion or people who would assist the attackers distribute their ransomware payload. To do that, the attackers as soon as once more used ADRecon.ps1with quite a few PowerShell cmdlets equivalent to the next:
- Get-ADRGPO – will get group coverage objects (GPO) in a site
- Get-ADRDNSZone – will get all DNS zones and information in a site
- Get-ADRGPLink – will get all group coverage hyperlinks utilized to a scope of administration in a site
Moreover, the attackers dropped and used ADFind.exe instructions to collect info on individuals, computer systems, organizational items, and belief info, in addition to pinged dozens of units to verify connectivity.
Exfiltration for double extortion
Mental property theft doubtless allowed the attackers to threaten the discharge of knowledge if the next ransom wasn’t paid—a follow often called “double extortion.” To steal mental property, the attackers focused and picked up knowledge from SQL databases. In addition they navigated via directories and mission folders, amongst others, of every system they may entry, then exfiltrated the info they present in these.
The exfiltration occurred for a number of days on a number of units, which allowed the attackers to collect massive volumes of knowledge that they may then use for double extortion.
Encryption and ransom
It was a full two weeks from the preliminary compromise earlier than the attackers progressed to ransomware deployment, thus highlighting the necessity for triaging and scoping out alert exercise to grasp accounts and the scope of entry an attacker gained from their exercise. Distribution of the ransomware payload utilizing PsExec.exe proved to be the commonest assault technique.
Case research 2: Entry by way of compromised credentials
In one other incident we noticed, we discovered {that a} ransomware affiliate gained preliminary entry to the atmosphere by way of an internet-facing Distant Desktop server utilizing compromised credentials to check in.
Lateral motion
As soon as the attackers gained entry to the goal atmosphere, they then used SMB to repeat over and launch the Whole Deployment Software program administrative device, permitting distant automated software program deployment. As soon as this device was put in, the attackers used it to put in ScreenConnect (now often called ConnectWise), a distant desktop software program utility.
Credential theft
ScreenConnect was used to determine a distant session on the system, permitting attackers interactive management. With the system of their management, the attackers used cmd.exe to replace the Registry to permit cleartext authentication by way of WDigest, and thus saved the attackers time by not having to crack password hashes. Shortly later, they used the Activity Supervisor to dump the LSASS.exe course of to steal the password, now in cleartext.
Eight hours later, the attackers reconnected to the system and stole credentials once more. This time, nevertheless, they dropped and launched Mimikatz for the credential theft routine, doubtless as a result of it might seize credentials past these saved in LSASS.exe. The attackers then signed out.
Persistence and encryption
A day later, the attackers returned to the atmosphere utilizing ScreenConnect. They used PowerShell to launch a command immediate course of after which added a consumer account to the system utilizing web.exe. The brand new consumer was then added to the native administrator group by way of web.exe.
Afterward, the attackers signed in utilizing their newly created consumer account and commenced dropping and launching the ransomware payload. This account would additionally function a method of further persistence past ScreenConnect and their different footholds within the atmosphere to permit them to re-establish their presence, if wanted. Ransomware adversaries should not above ransoming the identical group twice if entry isn’t totally remediated.
Chrome.exe was used to navigate to a site internet hosting the BlackCat payload. Notably, the folder construction included the group identify, indicating that this was a pre-staged payload particularly for the group. Lastly, the attackers launched the BlackCat payload on the system to encrypt its knowledge.
Ransomware associates deploying BlackCat
Aside from the incidents mentioned earlier, we’ve additionally noticed two of probably the most prolific affiliate teams related to ransomware deployments have switched to deploying BlackCat. Payload switching is typical for some RaaS associates to make sure enterprise continuity or if there’s a risk of higher revenue. Sadly for organizations, such adoption additional provides to the problem of detecting associated threats.
Microsoft tracks one in every of these affiliate teams as DEV-0237. Often known as FIN12, DEV-0237 is notable for its distribution of Hive, Conti, and Ryuk ransomware. We’ve noticed that this group added BlackCat to their listing of distributed payloads starting March 2022. Their change to BlackCat from their final used payload (Hive) is suspected to be because of the public discourse across the latter’s decryption methodologies.
DEV-0504 is one other energetic affiliate group that we’ve seen switching to BlackCat for his or her ransomware assaults. Like many RaaS affiliate teams, the next TTPs could be noticed in a DEV-0504 assault:
- Entry vector that may contain the affiliate remotely signing into units with compromised credentials, equivalent to into units working software program options that enable for distant work
- The attackers’ use of their entry to conduct discovery on the area
- Lateral motion that doubtlessly makes use of the preliminary compromised account
- Credential theft with instruments like Mimikatz and Rubeus
DEV-0504 sometimes exfiltrates knowledge on units they compromise from the group utilizing a malicious device equivalent to StealBit—usually named “ship.exe” or “sender.exe”. PsExec is then used to distribute the ransomware payload. The group has been noticed delivering the next ransom households earlier than their adoption of BlackCat starting December 2021:
- BlackMatter
- Conti
- LockBit 2.0
- Revil
- Ryuk
Defending towards BlackCat ransomware
Immediately’s ransomware assaults have turn out to be extra impactful due to their rising industrialization via the RaaS affiliate mannequin and the rising pattern of double extortion. The incidents we’ve noticed associated to the BlackCat ransomware leverage these two components, making this risk sturdy towards standard safety and protection approaches that solely give attention to detecting the ransomware payloads. Detecting threats like BlackCat, whereas good, is now not sufficient as human-operated ransomware continues to develop, evolve, and adapt to the networks they’re deployed or the attackers they work for.
As an alternative, organizations should shift their defensive methods to stop the end-to-end assault chain. As famous above, whereas attackers’ entry factors could range, their TTPs stay largely the identical. As well as, all these assaults proceed to benefit from a corporation’s poor credential hygiene and legacy configurations or misconfigurations to succeed. Subsequently, defenders ought to tackle these frequent paths and weaknesses by hardening their networks via varied finest practices equivalent to entry monitoring and correct patch administration. We offer detailed steps on constructing these defensive methods towards ransomware in this weblog.
Within the BlackCat-related incidents we’ve noticed, the frequent entry factors for ransomware associates have been by way of compromised credentials to entry internet-facing distant entry software program and unpatched Change servers. Subsequently, defenders ought to evaluate their group’s id posture, rigorously monitor exterior entry, and find susceptible Change servers of their atmosphere to replace as quickly as potential. The monetary influence, popularity injury, and different repercussions that stem from assaults involving ransomware like BlackCat should not value forgoing downtime, service interruption, and different ache factors associated to making use of safety updates and implementing finest practices.
Leveraging Microsoft 365 Defender’s complete risk protection capabilities
Microsoft 365 Defender helps shield organizations from assaults that ship the BlackCat ransomware and different related threats by offering cross-domain visibility and coordinated risk protection. It makes use of a number of layers of dynamic safety applied sciences and correlates risk knowledge from e-mail, endpoints, identities, and cloud apps. Microsoft Defender for Endpoint detects instruments like Mimikatz, the precise BlackCat payload, and subsequent attacker habits. Menace and vulnerability administration capabilities additionally assist uncover susceptible or misconfigured units throughout completely different platforms; such capabilities may assist detect and block potential exploitation makes an attempt on susceptible units, equivalent to these working Change. Lastly, superior searching lets defenders create customized detections to proactively floor this ransomware and different associated threats.
Further mitigations and suggestions
Defenders can even comply with the next steps to scale back the influence of this ransomware:
Microsoft 365 Defender clients can even apply the extra mitigations beneath:
- Use superior safety towards ransomware.
- Activate tamper safety in Microsoft Defender for Endpoint to stop malicious modifications to safety settings. Allow community safety in Microsoft Defender for Endpoint and Microsoft 365 Defender to stop purposes or customers from accessing malicious domains and different malicious content material on the web.
- Guarantee Change servers have utilized the mitigations referenced within the associated Menace Analytics report.
- Activate the next assault floor discount guidelines to dam or audit exercise related to this risk:
- Block credential stealing from the Home windows native safety authority subsystem (lsass.exe)
- Block course of creations originating from PSExec and WMI instructions
- Block executable information from working except they meet a prevalence, age, or trusted listing criterion
For a full listing of ransomware mitigations no matter risk, discuss with this text: Quickly shield towards ransomware and extortion.
Microsoft 365 Defender Menace Intelligence Group
Appendix
Microsoft 365 Defender detections
Microsoft Defender Antivirus
Microsoft Defender for Endpoint EDR
Alerts with the next titles within the safety middle can point out risk exercise in your community:
- An energetic ‘BlackCat’ ransomware was detected
- ‘BlackCat’ ransomware was detected
- BlackCat ransomware
Searching queries
Microsoft 365 Defender
To find potential ransomware exercise, run the next queries.
Suspicious course of execution in PerfLogs path
Use this question to search for processes executing in PerfLogs—a standard path used to put the ransomware payloads.
DeviceProcessEvents | the place InitiatingProcessFolderPath has "PerfLogs" | the place InitiatingProcessFileName matches regex "[a-z]3.exe" | lengthen Size = strlen(InitiatingProcessFileName) | the place Size == 7
Suspicious registry modification of MaxMpxCt parameters
Use this question to search for suspicious working processes that modify registry settings to extend the variety of excellent requests allowed (for instance, SMB requests when distributing ransomware by way of its PsExec methodology).
DeviceProcessEvents
| the place ProcessCommandLine has_all("LanmanServer", "parameters", "MaxMpxCt", "65535")
Suspicious command line indicative of BlackCat ransom payload execution
Use these queries to search for situations of the BlackCat payload executing primarily based on a required command argument for it to efficiently encrypt ‘–access-token’.
DeviceProcessEvents
| the place ProcessCommandLine has_all("--access-token", "-v")
| lengthen CommandArguments = break up(ProcessCommandLine, " ")
| mv-expand CommandArguments
| the place CommandArguments matches regex "^[A-Fa-f0-9]64$"
DeviceProcessEvents | the place InitiatingProcessCommandLine has "--access-token" | the place ProcessCommandLine has "get uuid"
Suspected knowledge exfiltration
Use this question to search for command traces that point out knowledge exfiltration and the indication that an attacker could try double extortion.
DeviceNetworkEvents
| the place InitiatingProcessCommandLine has_all("copy", "--max-age", "--ignore-existing", "--multi-thread-streams", "--transfers") and InitiatingProcessCommandLine has_any("ftp", "ssh", "-q")