BlackCat aka ALPHAV-ng Ransomware (Since 2021)

The trend of this ransomware has been observed since November 2021, and in the last quarter of 2022, its name was listed among the top three most prevalent variants. Very quickly it gained its name in the list of professional ransomware families.

BlackCat is more effective among other ransomwares due to its capability to target a wider range of systems. This adversary is written in ‘RUST’ and is capable of targeting both Windows and Linux platforms. Rust is considered as a more secure, high performance and reliable programming language to run concurrent processing. It aided the ransomware to accomplish encryption with fast performance and its capability of efficient memory management. It also makes it difficult to analyze ransomware in the SandBox environment compared to other commonly used languages. It also has an advantage of lower detection ratio from static analysis tools that are usually not adopted to all programming languages.

In the FLASH alert published by FBI in April 2022, it was explained that BlackCat aka ‘AlphaV’ gains initial access to target system with using compromised authentication credentials and it leverages the user access in Active Directory and configure malicious GPO (Group Policy Objects) with Task Scheduler to deploy its ransomware payload.

Once payload gets deployed, the ransomware disables the security within the targeted network to exfiltrate the data and information before its execution. The ransomware uses multiple PowerShell and batch scripts to spread the infection.

BlackCat Infection chain

In a test campaign done by  AT&T labs, they observed that like its previous variants that were observed in 2021. In the case of virtual hosts, it first aims to kill any running virtual machine to ensure that no other parallel infected instances are doing encryption to avoid data corruption.

Unlike regular servers, a virtual machine host can share the same hard-disk with multiple instances.

Sample ransom note
(AT&T Labs)

In its preparation procedure BlackCat ransomware also observed doing following steps and templet commands -

• It deletes Shadow-Copy volumes to remove any data backup copies. 

  vssadmin.exe Delete Shadows /all /quiet

• It diables any recovery from BDC-Store.

  bcdedit.exe /set {default} recoveryenabled No

• It changes the value of network request to its maximum size 65535 in registry hive to enable accessing multiple files during the encryption process.

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f

• It also attempts to propagate its payload to multiple systems in the network. For this it runs psexec.exe command from %TEMP% path and leverages its parents execution permission.

  psexec.exe -accepteula \\{Target} -u {user} -p {password} -s -d -f -c {payload}.exe {inherited execution flags}

• In the end, it clears windows-event-logs to hide its activity trace.

  cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

Detection

• With realtime Windows Eventlog and Sysmon logs, the execution of .exe file name and SHA256 hash can be matched from below given IoC table.

• On Windows systems, this ransomware kills below given services that modify files during their execution to avoid data corruption before executing the encryption process.

AcronisAgent, AcrSch2Svc, backup, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, BackupExecVSSProvider, GxBlr, GxCIMgr, GxClMgrS, GxCVD, GxFWD, GXMMM, GxVss, GxVssHWProv, memtas, mepocs, msexchange, MSExchange, MSExchange$, MVArmor, MVarmor64, mysql, mysql$, PDVFSService, QBCFMonitorService, QBDBMgrN, QBIDPService, SAP, SAP$, SAPD$, SAPHostControl, SAPHostExec, SAPService, sophos, sql, sql$, svc$, veeam, VeeamDeploymentService, VeeamNFSSvc, VeeamTransportSvc, VSNAPVSS, vss, WSBExchang

Associated IOCs

References

• AT&T Labs for screenshots/images.

• Virustotal (IOC Source)