The numerous lives of BlackCat ransomware
The BlackCat ransomware, often known as ALPHV, is a prevalent menace and a major instance of the rising ransomware-as-a-service (RaaS) gig economic system. It’s noteworthy resulting from its unconventional programming language (Rust), a number of goal units and attainable entry factors, and affiliation with prolific menace exercise teams. Whereas BlackCat’s arrival and execution differ primarily based on the actors deploying it, the end result is similar—goal knowledge is encrypted, exfiltrated, and used for “double extortion,” the place attackers threaten to launch the stolen knowledge to the general public if the ransom isn’t paid.
First noticed in November 2021, BlackCat initially made headlines as a result of it was one of many first ransomware households written within the Rust programming language. By utilizing a contemporary language for its payload, this ransomware makes an attempt to evade detection, particularly by typical safety options which may nonetheless be catching up of their skill to investigate and parse binaries written in such language. BlackCat can even goal a number of units and working programs. Microsoft has noticed profitable assaults towards Home windows and Linux units and VMWare cases.
As we beforehand defined, the RaaS affiliate mannequin consists of a number of gamers: entry brokers, who compromise networks and keep persistence; RaaS operators, who develop instruments; and RaaS associates, who carry out different actions like shifting laterally throughout the community and exfiltrating knowledge earlier than in the end launching the ransomware payload. Thus, as a RaaS payload, how BlackCat enters a goal group’s community varies, relying on the RaaS affiliate that deploys it. For instance, whereas the frequent entry vectors for these menace actors embody distant desktop functions and compromised credentials, we additionally noticed a menace actor leverage Change server vulnerabilities to achieve goal community entry. As well as, at the very least two recognized associates at the moment are adopting BlackCat: DEV-0237 (recognized for beforehand deploying Ryuk, Conti, and Hive) and DEV-0504 (beforehand deployed Ryuk, REvil, BlackMatter, and Conti).
Such variations and adoptions markedly enhance a corporation’s threat of encountering BlackCat and pose challenges in detecting and defending towards it as a result of these actors and teams have totally different techniques, methods, and procedures (TTPs). Thus, no two BlackCat “lives” or deployments would possibly look the identical. Certainly, primarily based on Microsoft menace knowledge, the affect of this ransomware has been famous in numerous nations and areas in Africa, the Americas, Asia, and Europe.
Human-operated ransomware assaults like people who deploy BlackCat proceed to evolve and stay one of many attackers’ most well-liked strategies to monetize their assaults. Organizations ought to contemplate complementing their safety greatest practices and insurance policies with a complete resolution like Microsoft 365 Defender, which affords safety capabilities that correlate numerous menace indicators to detect and block such assaults and their follow-on actions.
On this weblog, we offer particulars concerning the ransomware’s methods and capabilities. We additionally take a deep dive into two incidents we’ve noticed the place BlackCat was deployed, in addition to extra details about the menace exercise teams that now ship it. Lastly, we provide greatest practices and suggestions to assist defenders defend their organizations towards this menace, together with searching queries and product-specific mitigations.
BlackCat’s anatomy: Payload capabilities
As talked about earlier, BlackCat is among the first ransomware written within the Rust programming language. Its use of a contemporary language exemplifies a latest development the place menace actors swap to languages like Rust or Go for his or her payloads of their try and not solely keep away from detection by typical safety options but in addition to problem defenders who could also be making an attempt to reverse engineer the mentioned payloads or examine them to comparable threats.
BlackCat can goal and encrypt Home windows and Linux units and VMWare cases. It has in depth capabilities, together with self-propagation configurable by an affiliate for his or her utilization and to setting encountered.
Within the cases we’ve noticed the place the BlackCat payload didn’t have administrator privileges, the payload was launched through dllhost.exe, which then launched the next instructions under (Desk 1) through cmd.exe. These instructions might differ, because the BlackCat payload permits associates to customise execution to the setting.
The flags utilized by the attackers and the choices out there have been the next: -s -d -f -c; –access-token; –propagated; -no-prop-servers
| Command | Description |
| [service name] /cease | Stops working companies to permit encryption of information |
| vssadmin.exe Delete Shadows /all /quiet | Deletes backups to forestall restoration |
| wmic.exe Shadowcopy Delete | Deletes shadow copies |
| wmic csproduct get UUID | Will get the Universally Distinctive Identifier (UUID) of the goal system |
| reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices LanmanServerParameters /v MaxMpxCt /d 65535 /t REG_DWORD /f | Modifies the registry to alter MaxMpxCt settings; BlackCat does this to extend the variety of excellent requests allowed (for instance, SMB requests when distributing ransomware through its PsExec methodology) |
| for /F ”tokens=*” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl ”%1” | Clears occasion logs |
| fsutil habits set SymlinkEvaluation R2L:1 | Permits remote-to-local symbolic hyperlinks; a symbolic hyperlink is a file-system object (for instance, a file or folder) that factors to a different file system object, like a shortcut in some ways however extra highly effective |
| fsutil habits set SymlinkEvaluation R2R:1 | Permits remote-to-remote symbolic hyperlinks |
| web use [computer name] /person:[domain][user] [password] /persistent:no | Mounts community share |
Person account management (UAC) bypass
BlackCat can bypass UAC, which implies the payload will efficiently run even when it runs from a non-administrator context. If the ransomware isn’t run with administrative privileges, it runs a secondary course of underneath dllhost.exe with enough permissions wanted to encrypt the utmost variety of information on the system.
Area and system enumeration
The ransomware can decide the pc title of the given system, native drives on a tool, and the AD area title and username on a tool. The malware can even establish whether or not a person has area admin privileges, thus rising its functionality of ransoming extra units.
Self-propagation
BlackCat discovers all servers which can be linked to a community. The method first broadcasts NetBIOS Identify Service (NBNC) messages to examine for these extra units. The ransomware then makes an attempt to copy itself on the answering servers utilizing the credentials specified inside the config through PsExec.
Hampering restoration efforts
BlackCat has quite a few strategies to make restoration efforts harder. The next are instructions that is perhaps launched by the payload, in addition to their functions:
- Modify boot loader
- “C:Windowssystem32cmd.exe” /c “bcdedit /set {default}”
- “C:Windowssystem32cmd.exe” /c “bcdedit /set {default} recoveryenabled No”
- Delete quantity shadow copies
- “C:Windowssystem32cmd.exe” /c “vssadmin.exe Delete Shadows /all /quiet”
- “C:Windowssystem32cmd.exe” /c “wmic.exe Shadowcopy Delete”
- Clear Home windows occasion logs
- “C:Windowssystem32cmd.exe” /c “cmd.exe /c for /F ”tokens=*” Incorrect operate. in (‘ wevtutil.exe el ‘) DO wevtutil.exe cl ”Incorrect operate. ””
Slinking its manner in: Figuring out assaults that may result in BlackCat ransomware
According to the RaaS mannequin, menace actors make the most of BlackCat as an extra payload to their ongoing campaigns. Whereas their TTPs stay largely the identical (for instance, utilizing instruments like Mimikatz and PsExec to deploy the ransomware payload), BlackCat-related compromises have various entry vectors, relying on the ransomware affiliate conducting the assault. Due to this fact, the pre-ransom steps of those assaults will also be markedly totally different.
For instance, our analysis famous that one affiliate that deployed BlackCat leveraged unpatched Change servers or used stolen credentials to entry goal networks. The next sections element the end-to-end assault chains of those two incidents we’ve noticed.
Case examine 1: Entry through unpatched Change
In a single incident we’ve noticed, attackers took benefit of an unpatched Change server to enter the goal group.
Discovery
Upon exploiting the Change vulnerability, the attackers launched the next discovery instructions to collect details about the system they’d compromised:
- cmd.exe and the instructions ver and systeminfo – to gather working system info
- web.exe – to find out area computer systems, area controllers, and area admins within the setting
After executing these instructions, the attackers navigated by means of directories and found a passwords folder that granted them entry to account credentials they might use within the subsequent levels of the assault. In addition they used the del command to delete information associated to their preliminary compromise exercise.
The attackers then mounted a community share utilizing web use and the stolen credentials and started on the lookout for potential lateral motion targets utilizing a mixture of strategies. First, they used WMIC.exe utilizing the beforehand gathered system title because the node, launched the command whoami /all, and pinged google.com to examine community connectivity. The output of the outcomes have been then written to a .log file on the mounted share. Second, the attackers used PowerShell.exe with the cmdlet Get-ADComputer and a filter to collect the final sign-in occasion.
Lateral motion
Two and a half days later, the attackers signed into one of many goal units they discovered throughout their preliminary discovery efforts utilizing compromised credentials through interactive sign-in. They opted for a credential theft method that didn’t require dropping a file like Mimikatz that antivirus merchandise would possibly detect. As a substitute, they opened Taskmgr.exe, created a dump file of the LSASS.exe course of, and saved the file to a ZIP archive.
The attackers continued their earlier discovery efforts utilizing a PowerShell script model of ADRecon (ADRecon.ps1), which is a device designed to collect in depth details about an Lively Listing (AD) setting. The attacker adopted up this motion with a web scanning device that opened connections to units within the group on server message block (SMB) and distant desktop protocol (RDP). For found units, the attackers tried to navigate to varied community shares and used the Distant Desktop consumer (mstsc.exe) to signal into these units, as soon as once more utilizing the compromised account credentials.
These behaviors continued for days, with the attackers signing into quite a few units all through the group, dumping credentials, and figuring out what units they might entry.
Assortment and exfiltration
On lots of the units the attackers signed into, efforts have been made to gather and exfiltrate in depth quantities of information from the group, together with area settings and knowledge and mental property. To do that, the attackers used each MEGAsync and Rclone, which have been renamed as reliable Home windows course of names (for instance, winlogon.exe, mstsc.exe).
Exfiltration of area info to establish targets for lateral motion
Gathering area info allowed the attackers to progress additional of their assault as a result of the mentioned info might establish potential targets for lateral motion or people who would assist the attackers distribute their ransomware payload. To do that, the attackers as soon as once more used ADRecon.ps1with quite a few PowerShell cmdlets akin to the next:
- Get-ADRGPO – will get group coverage objects (GPO) in a site
- Get-ADRDNSZone – will get all DNS zones and data in a site
- Get-ADRGPLink – will get all group coverage hyperlinks utilized to a scope of administration in a site
Moreover, the attackers dropped and used ADFind.exe instructions to collect info on individuals, computer systems, organizational items, and belief info, in addition to pinged dozens of units to examine connectivity.
Exfiltration for double extortion
Mental property theft doubtless allowed the attackers to threaten the discharge of knowledge if the following ransom wasn’t paid—a apply referred to as “double extortion.” To steal mental property, the attackers focused and picked up knowledge from SQL databases. In addition they navigated by means of directories and undertaking folders, amongst others, of every system they might entry, then exfiltrated the info they present in these.
The exfiltration occurred for a number of days on a number of units, which allowed the attackers to collect giant volumes of knowledge that they might then use for double extortion.
Encryption and ransom
It was a full two weeks from the preliminary compromise earlier than the attackers progressed to ransomware deployment, thus highlighting the necessity for triaging and scoping out alert exercise to know accounts and the scope of entry an attacker gained from their exercise. Distribution of the ransomware payload utilizing PsExec.exe proved to be the most typical assault methodology.
Case examine 2: Entry through compromised credentials
In one other incident we noticed, we discovered {that a} ransomware affiliate gained preliminary entry to the setting through an internet-facing Distant Desktop server utilizing compromised credentials to register.
Lateral motion
As soon as the attackers gained entry to the goal setting, they then used SMB to repeat over and launch the Complete Deployment Software program administrative device, permitting distant automated software program deployment. As soon as this device was put in, the attackers used it to put in ScreenConnect (now referred to as ConnectWise), a distant desktop software program utility.
Credential theft
ScreenConnect was used to determine a distant session on the system, permitting attackers interactive management. With the system of their management, the attackers used cmd.exe to replace the Registry to permit cleartext authentication through WDigest, and thus saved the attackers time by not having to crack password hashes. Shortly later, they used the Job Supervisor to dump the LSASS.exe course of to steal the password, now in cleartext.
Eight hours later, the attackers reconnected to the system and stole credentials once more. This time, nevertheless, they dropped and launched Mimikatz for the credential theft routine, doubtless as a result of it will probably seize credentials past these saved in LSASS.exe. The attackers then signed out.
Persistence and encryption
A day later, the attackers returned to the setting utilizing ScreenConnect. They used PowerShell to launch a command immediate course of after which added a person account to the system utilizing web.exe. The brand new person was then added to the native administrator group through web.exe.
Afterward, the attackers signed in utilizing their newly created person account and started dropping and launching the ransomware payload. This account would additionally function a way of extra persistence past ScreenConnect and their different footholds within the setting to permit them to re-establish their presence, if wanted. Ransomware adversaries aren’t above ransoming the identical group twice if entry will not be totally remediated.
Chrome.exe was used to navigate to a site internet hosting the BlackCat payload. Notably, the folder construction included the group title, indicating that this was a pre-staged payload particularly for the group. Lastly, the attackers launched the BlackCat payload on the system to encrypt its knowledge.
Ransomware associates deploying BlackCat
Other than the incidents mentioned earlier, we’ve additionally noticed two of probably the most prolific affiliate teams related to ransomware deployments have switched to deploying BlackCat. Payload switching is typical for some RaaS associates to make sure enterprise continuity or if there’s a chance of higher revenue. Sadly for organizations, such adoption additional provides to the problem of detecting associated threats.
Microsoft tracks one in all these affiliate teams as DEV-0237. Also referred to as FIN12, DEV-0237 is notable for its distribution of Hive, Conti, and Ryuk ransomware. We’ve noticed that this group added BlackCat to their listing of distributed payloads starting March 2022. Their swap to BlackCat from their final used payload (Hive) is suspected to be as a result of public discourse across the latter’s decryption methodologies.
DEV-0504 is one other lively affiliate group that we’ve seen switching to BlackCat for his or her ransomware assaults. Like many RaaS affiliate teams, the next TTPs is perhaps noticed in a DEV-0504 assault:
- Entry vector that may contain the affiliate remotely signing into units with compromised credentials, akin to into units working software program options that enable for distant work
- The attackers’ use of their entry to conduct discovery on the area
- Lateral motion that doubtlessly makes use of the preliminary compromised account
- Credential theft with instruments like Mimikatz and Rubeus
DEV-0504 sometimes exfiltrates knowledge on units they compromise from the group utilizing a malicious device akin to StealBit—typically named “ship.exe” or “sender.exe”. PsExec is then used to distribute the ransomware payload. The group has been noticed delivering the next ransom households earlier than their adoption of BlackCat starting December 2021:
- BlackMatter
- Conti
- LockBit 2.0
- Revil
- Ryuk
Defending towards BlackCat ransomware
Right now’s ransomware assaults have turn out to be extra impactful due to their rising industrialization by means of the RaaS affiliate mannequin and the rising development of double extortion. The incidents we’ve noticed associated to the BlackCat ransomware leverage these two components, making this menace sturdy towards typical safety and protection approaches that solely give attention to detecting the ransomware payloads. Detecting threats like BlackCat, whereas good, is not sufficient as human-operated ransomware continues to develop, evolve, and adapt to the networks they’re deployed or the attackers they work for.
As a substitute, organizations should shift their defensive methods to forestall the end-to-end assault chain. As famous above, whereas attackers’ entry factors might differ, their TTPs stay largely the identical. As well as, all these assaults proceed to make the most of a corporation’s poor credential hygiene and legacy configurations or misconfigurations to succeed. Due to this fact, defenders ought to deal with these frequent paths and weaknesses by hardening their networks by means of numerous greatest practices akin to entry monitoring and correct patch administration. We offer detailed steps on constructing these defensive methods towards ransomware on this weblog.
Within the BlackCat-related incidents we’ve noticed, the frequent entry factors for ransomware associates have been through compromised credentials to entry internet-facing distant entry software program and unpatched Change servers. Due to this fact, defenders ought to overview their group’s id posture, rigorously monitor exterior entry, and find susceptible Change servers of their setting to replace as quickly as attainable. The monetary affect, status injury, and different repercussions that stem from assaults involving ransomware like BlackCat aren’t price forgoing downtime, service interruption, and different ache factors associated to making use of safety updates and implementing greatest practices.
Leveraging Microsoft 365 Defender’s complete menace protection capabilities
Microsoft 365 Defender helps defend organizations from assaults that ship the BlackCat ransomware and different comparable threats by offering cross-domain visibility and coordinated menace protection. It makes use of a number of layers of dynamic safety applied sciences and correlates menace knowledge from electronic mail, endpoints, identities, and cloud apps. Microsoft Defender for Endpoint detects instruments like Mimikatz, the precise BlackCat payload, and subsequent attacker habits. Menace and vulnerability administration capabilities additionally assist uncover susceptible or misconfigured units throughout totally different platforms; such capabilities might assist detect and block attainable exploitation makes an attempt on susceptible units, akin to these working Change. Lastly, superior searching lets defenders create customized detections to proactively floor this ransomware and different associated threats.
Further mitigations and suggestions
Defenders can even comply with the next steps to cut back the affect of this ransomware:
Microsoft 365 Defender prospects can even apply the extra mitigations under:
- Use superior safety towards ransomware.
- Activate tamper safety in Microsoft Defender for Endpoint to forestall malicious adjustments to safety settings. Allow community safety in Microsoft Defender for Endpoint and Microsoft 365 Defender to forestall functions or customers from accessing malicious domains and different malicious content material on the web.
- Guarantee Change servers have utilized the mitigations referenced within the associated Menace Analytics report.
- Activate the next assault floor discount guidelines to dam or audit exercise related to this menace:
- Block credential stealing from the Home windows native safety authority subsystem (lsass.exe)
- Block course of creations originating from PSExec and WMI instructions
- Block executable information from working except they meet a prevalence, age, or trusted listing criterion
For a full listing of ransomware mitigations no matter menace, discuss with this text: Quickly defend towards ransomware and extortion.
Be taught how one can cease assaults by means of automated, cross-domain safety and built-in AI with Microsoft Defender 365.
Microsoft 365 Defender Menace Intelligence Crew
Appendix
Microsoft 365 Defender detections
Microsoft Defender Antivirus
Microsoft Defender for Endpoint EDR
Alerts with the next titles within the safety heart can point out menace exercise in your community:
- An lively ‘BlackCat’ ransomware was detected
- ‘BlackCat’ ransomware was detected
- BlackCat ransomware
Searching queries
Microsoft 365 Defender
To find attainable ransomware exercise, run the next queries.
Suspicious course of execution in PerfLogs path
Use this question to search for processes executing in PerfLogs—a typical path used to put the ransomware payloads.
DeviceProcessEvents
| the place InitiatingProcessFolderPath has "PerfLogs"
| the place InitiatingProcessFileName matches regex "[a-z]{3}.exe"
| lengthen Size = strlen(InitiatingProcessFileName)
| the place Size == 7
Suspicious registry modification of MaxMpxCt parameters
Use this question to search for suspicious working processes that modify registry settings to extend the variety of excellent requests allowed (for instance, SMB requests when distributing ransomware through its PsExec methodology).
DeviceProcessEvents
| the place ProcessCommandLine has_all("LanmanServer", "parameters", "MaxMpxCt", "65535")
Suspicious command line indicative of BlackCat ransom payload execution
Use these queries to search for cases of the BlackCat payload executing primarily based on a required command argument for it to efficiently encrypt ‘–access-token’.
DeviceProcessEvents
| the place ProcessCommandLine has_all("--access-token", "-v")
| lengthen CommandArguments = cut up(ProcessCommandLine, " ")
| mv-expand CommandArguments
| the place CommandArguments matches regex "^[A-Fa-f0-9]{64}$"
DeviceProcessEvents | the place InitiatingProcessCommandLine has "--access-token" | the place ProcessCommandLine has "get uuid"
Suspected knowledge exfiltration
Use this question to search for command traces that point out knowledge exfiltration and the indication that an attacker might try double extortion.
DeviceNetworkEvents
| the place InitiatingProcessCommandLine has_all("copy", "--max-age", "--ignore-existing", "--multi-thread-streams", "--transfers") and InitiatingProcessCommandLine has_any("ftp", "ssh", "-q")
