BlackCat Ransomware Detection: Bad Luck Written in Rust

WRITTEN BY
Alla Yurchenko
[post-views]
February 01, 2022 · 4 min read

Adversaries are searching for new means of turning up the heat, this time bringing new, Rust-written ransomware to attack organizations in the U.S., Europe, Australia, India, and the Philippines. ALPHV BlackCat ransomware developers target Windows and Linux OSs through 3rd party framework/toolset (e.g., Cobalt Strike) or by exploiting vulnerable applications.

The BlackCat gang is now actively recruiting hackers on forums like RAMP, XSS, and Exploit, enticing them with an impressive share of ransom payments.

BlackCat Ransomware Attack Routine

According to the extensive Palo Alto analysis, this ransomware stands out for its adaptiveness, allowing attackers to tailor it to each target for the damage increase. The BlackCat threat actors utilize various tactics and encryption routines. The ransomware can be configured to use four different encryption modes:

  1. Full file encryption
  2. Fast (only the first N megabytes are encrypted)
  3. DotPattern (N megabytes are encrypted via M step)
  4. Auto (files processing is on locker)

Current data indicates that the threat actors leveraging BlackCat, employ multiple extortion techniques, steal victims’ data in double and triple extortion schemes, threaten to leak sensitive information, and launch distributed denial-of-service (DDoS) attacks.

The ransomware will terminate processes and services that could potentially prevent encryption in its setup process. Consequently, it will shut down the operation of virtual machines and ESXi VMs, and delete ESXi snapshots to obstruct or prevent recovery. BlackCat uses a random name extension on every encrypted device, appended to all files and included in the ransom note. It urges the infected users to connect to the attackers’ payment portal via TOR, with ransom demands in either Bitcoin or Monero.

Reported Attacks Like BlackCat

We witness a growing trend of hackers widening their repertoire of languages used for crafting malware. There are an increasing number of cases using malware written in Dlang, Go, Nim, and Rust, to find new paths of bypassing security protections, evade analysis, and reach higher chances of evasion success. Labeled “the new generation of ransomware”, BlackCat displays similar behavioral elements to those of a DarkSide successor, BlackMatter ransomware. Despite numerous similarities, the ALPHV BlackCat ransomware includes innovative features that single it out from RaaS programs aimed at corporate breaches. BlackCat operators have learned from the mistakes of their RaaS predecessors, employing new infection vectors, novel execution options, and particularly aggressive naming and shaming campaigns.

BlackCat Mitigation

ALPHV first surfaced in mid-November 2021 and has been actively prowling around for victims across industries. Unfortunately, quite successfully. According to the reports, victims are asked to pay up to $14 million to get hold of their files.

To protect your company infrastructure from possible BlackCat attacks, you can download a set of free Sigma rules developed by our seasoned Threat Bounty developers Emir Erdogan and Kaan Yeniyol, who never miss a trick.

BlackCat Ransomware Detect (via cmdline)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Microsoft Defender ATP, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Command and Control, Execution, Impact, and Exfiltration tactics with Application Layer Protocol (T1071), Command and Scripting Interpreter (T1059), Data Encrypted for Impact (T1486), and Data Transfer Size Limits (T1030) as the main techniques.

BlackCat Ransomware Execution And Recon UUID

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, LimaCharlie, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Securonix, Apache Kafka ksqlDB, Open Distro, and AWS OpenSearch.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution, Defense Evasion, and Discovery tactics with Command and Scripting Interpreter (T1059), Indirect Command Execution (T1202), and System Service Discovery (T1007) as the main techniques.

The full list of detections in the Threat Detection Marketplace repository of the SOC Prime platform is available here.

Sign up for free at SOC Prime’s Detection as Code platform to detect the latest threats within your security environment, improve log source and MITRE ATT&CK coverage, and defend against attacks easier, faster, and more efficiently. Adepts at cybersecurity are more than welcome to join the Threat Bounty program to share curated Sigma rules with the community and get recurrent rewards.

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts