Today we are going to take a look at another strain of ransomware, which has not yet seen much press until recently although it has been around for several months. BlackCat ransomware is another ransomware strain with some interesting features to it. You may also see it referred to as ALPHV. Let’s take a closer look at some of the operational features and highlights of BlackCat ransomware.
BlackCat Ransomware is a ransomware that appeared in November 2021, but potentially has a longer history. Researchers have seen evidence that BlackCat is the further evolution and branding of DarkSide and BlackMatter.
Let’s take a closer look at this ransomware and its capabilities.
BlackCat Triple Extortion
BlackCat gets its name from the black cat featured on the payment site for this ransomware organization. Like many other ransomware variants, BlackCat operates with a Ransomware as a Service (RaaS) model, making the barrier to entry very low. Affiliates also keep 90-90% of the ransom paid, which of course is a huge incentive.
With the RaaS model, BlackCat associates simply need to gain access to a network to be able to deploy the ransomware. Once they have found a way in, they can simply deploy the BlackCat ransomware, at which time the BlackCat organization takes over the negotiations.
Like many ransomwares, BlackCat encrypts and steals data – but adds a third level of extortion. If the ransom is not paid in time, a DDoS attack is carried out against the victim organization.
BlackCat Ransomware Technical Details
There are several interesting aspects about BlackCat ransomware. First of all, it is written in the Rust programming language, which makes it easy to compile for both Linux and Windows. Of course, ESXi is also a target. BlackCat specifically removes ESXi’s VM snapshots.
Many ransomware groups have “shut down” when they’ve gotten too much publicity. Let’s take the example of DarkSide which made headlines after the Colonial Pipeline attack, which then came back as Black Matter. Black Matter then shut down after pressure was once again applied after a string of attacks targeting healthcare companies. When a group shuts down and come back, there are usually significant improvements made to processes around the ransomware group’s extortion operations, as well as technical software changes to improve the ransomware itself.
While there’s never quite an official statement that says one way or another what has exactly rebranded and what relationships are, there are clues in the software and attack patterns that are usually found by security researchers, which strengthen the relationships.
This is a trend that has been followed over and over. Once a group develops too much notoriety, they “shut down”, usually emerging in another form. This also tends to happen when a decryptor is created for a specific strain of ransomware.
Ransomware on the Rise
It is no surprise, ransomware continues to be on the rise. The issue generally is that once organizations realize they have been compromised, the damage is already done. When it comes to minimizing the impact of ransomware it really becomes a two pronged approach.
First is prevention. Of course we want to prevent ransomware entering our environment in the first place. Unfortunately, users are human. While there are many technology based solutions to attempt to mitigate the risk of phishing and malicious emails, nothing is 100% foolproof.
That brings us to the second aspect of defending against ransomware, which is recovery. You must be prepared to recover if ransomware does in fact make it into your environment.
Unfortunately, there is no single solution to protect against ransomware, it is a multi faceted approach that must be taken to ensure organizations can recover if impacted.
Learn more about LockBit Ransomware covered in a recent post.