BlackCat, also known as ALPHV or Noberus, is a ransomware strain that first appeared in November 2021. Gaining popularity as the most sophisticated ransomware strain of 2021, BlackCat is believed to be perpetrated by several ransomware groups, and mostly notably by BlackMatter. Following the shutdown of BlackMatter by law enforcement, other groups embraced the ransomware, and even though it is a relatively new strain, BlackCat has been determined to be responsible for several high profile attacks and has quickly emerged as a major threat actor.

BlackCat operates on a Ransomware as a Service (RaaS) model in which ransomware developers sell or lease their software to customers, also known as affiliates. These cybercriminals, use the pre-developed ransomware to launch their attacks. RaaS decreases the risk factor for developers, as they don’t have to carry out the attacks themselves, and it reduces the cost factor for the affiliates, as they don’t have to invest heavily on building their own ransomware. Even small-time hackers without much technical expertise can now execute sophisticated cyberattacks.

Triple Extortion

Most ransomware groups use the double extortion technique, i.e., they not only steal and encrypt sensitive data and hold it hostage, but also threaten to publish the data if the ransom is not paid. BlackCat group also does this, but in addition, its threat actors often threaten to launch a distributed denial of service (DDoS) attack, if their demands are not met. This adds a third layer of threat to the attack and extortion scheme, and is known as triple extortion.

BlackCat anatomy and its arsenal: How does it work?

BlackCat is considered to be a very sophisticated ransomware. It is among the first to use the Rust programming language that is considered to be a highly secure, and which offers improved performance and reliable, concurrent processing. The use of Rust makes the malware highly customizable, and difficult to detect. BlackCat is a command-line driven, human-operated ransomware which is capable of using different encryption routines and self propagation, among other capabilities.

Another notable feature is that Rust is cross platform, i.e., it can create versions of the malware that work on different operating system environments. Currently, the BlackCat ransomware can target and encrypt Windows and Linux devices and VMWare instances.

The initial intrusion into the victim’s network typically happens by exploiting common vulnerabilities in different applications, like VPN gateways, and unpatched firewalls. For example, in one attack, the attackers took advantage of an unpatched Exchange server to enter the target organization. Once inside the network, the attackers moved laterally and gained further access by misusing credentials through the Remote Desktop Protocol (RDP). Then, the malware was deployed into target machines, and this encrypted all of the victim’s files, locked their computers, and displayed a ransom message.

The BlackCat arsenal includes a numbers of tools. We'll discuss a few here:

  • First, is the malware itself. Written in the highly customizable Rust programming language, it is believed to be written from scratch, without the use of any existing templates or previously leaked source codes. Every instance of this ransomware is unique and configured specifically to the victim.
  • Each ransomware executable includes a JSON data structure that allows for customization of extensions, ransom notes, procedure to encrypt data, folders, files and extensions to exclude, and the services and processes to be automatically terminated. It is tailored according to the attacker’s knowledge of the victim’s network.
  • The ransomware can be configured to use different encryption modes, and this determines the speed and extent of encryption on the victim’s network.
  • Mimikatz, the well-known hacker software, and Nirsoft software are also used to extract network passwords. However, it has also been observed that some attackers avoid using software like Mimikatz because it can be detected by antivirus software. Instead, they used Taskmgr.exe and create a dump file of the LSASS.exe process to steal credentials.
  • After gaining initial access, it uses the PsExec tool for lateral movement in the victim’s network. It has been observed that the attackers use PowerShell to modify Windows Defender security settings throughout the victim network, and launch the ransomware on multiple hosts using PsExec.
  • It uses Fendr to exfiltrate data from infected networks.

While most ransomware threatens to wipe or publish data if the victims hire any negotiation firms, the BlackCat group has managed to surprise us with yet another modification. Apparently, the group creates an intermediary login page to cater for these firms, and conduct private negotiations with them.

Victims of BlackCat

Although this group has been around for less than a year, it has quickly become notorious for targeting high-profile victims in various countries and numerous industries throughout the world. Most of the victims are from EU countries. The FBI issued a flash alert recently that indicated the group has already targeted nearly 60 victims as of March 2022; that’s merely four months since the group started operating..

Some of the high profile victims include German oil giants OilTanking GmbH and Mabana-ft GmbH, and multinational organizations Swiss-port International, and Italian luxury fashion brand Moncler, among others. The group also claimed responsibility for the attacks on two US universities, Florida International University and North Carolina A&T University.

The group reportedly makes ransom demands ranging from US$400,000 to US$3 million, payable in cryptocurrency. Recent reports suggest that the gang behind BlackCat has already started publishing victims’ data on the clear web, also know as the surface web, which is the portion of the internet indexed by search engines. This strategy is designed to exert more pressure and force victims to pay the ransom.

As with any other ransomware attack, paying the ransom is never really a solution, as there is no guarantee that a victim will get all their files back. Also, paying the ransom feeds into the attackers’ confidence, and incentivizes and encourages them to carry out more attacks. Only the affected organizations know the exact extent of the data loss and the potential damage it can cause. Organizations need to analyze the situation carefully, understand the ramifications of the attack on the company, its clients, employees and other stakeholders, and act accordingly. In any case, it is crucial for organizations to figure out what went wrong–to discover why and how the attack happened, and then fix it. If not, they remain at risk of falling prey to other attacks in the future.

The overall number of victims of this ransomware remains low compared to others, but because there have been so many attacks in a short span of time, it operates on a RaaS model, and uses sophisticated codes and techniques, BlackCat is a major threat to watch for.

An effective security solution is to detect quickly and track an attack, investigate the root cause, and take remedial actions. Our SIEM solution, ManageEngine Log360, helps prevent attacks by alerting if any unusual events or activities are detected, and initiating automatic remediation processes. To fully evaluate how Log360 can help your organization defend against BlackCat and other cyberattacks, sign up for a free personalized demo.

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks


© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.