An Investigation Into The BlackCat Ransomware
An infamous Ransomware as a Service (RaaS), BlackCat/ALPHV, managed to compromise more than 60 entities around the world, as published by the FBI. Using Rust programming language to build the ransomware, it enables fast performance to speed up the encryption of victim files and allows easy compilation of other target operating systems like Linux. This ransomware includes many features that makes it unique and stand out from other ransomware cases we have previously investigated.
BlackCat/ALPHV Affiliate Program
As a RaaS, ALPHV started advertising the service in the underground community to find affiliates who will carry out the attack against organizations and run the ransomware. These affiliates were given a percentage of the ransom payment paid by the compromised company. ALPHV was created as a new RaaS from scratch, that had fixed issues that affiliates had faced in previous attacks. The picture below is from one of these underground communities that shows how the RaaS was built, mentioning other threat actors like LockBit Conti, DarkSide, REvil and learning from their mistakes.
The RaaS affiliate model includes:
- Access brokers, whose duty is to compromise the target’s environment and maintain persistence.
- RaaS operators, who develop the tools, payload and maintain the infrastructure.
- RaaS affiliates, who move across the environment laterally and exfiltrate sensitive data for double extortion before launching the ransomware attack.
Features of BlackCat/ALPHV Ransomware
There are multiple key features that make this ransomware unique.
- Built with Rust programming language, it is a high performing ransomware that is highly customizable and provides cross-platform capabilities to compile multiple systems across Linux, macOS, Windows and other supported platforms.
- Automated network propagation using PsExec.
- Can be customized at runtime by supplying arguments.
- It will only be executed once the access token argument is supplied – this access token is used to create a unique protected channel for communication between the attacker and the victim for negotiations.
- Can use multiple privilege escalation methods (Secondary_Logon_handle_privesc , UAC bypass).
- Can clear and delete all windows event logs.
- Also deletes shadow copies.
- Can be easily customized to kill specific services
Phases of the Ransomware Execution
The following is a breakdown of the phases that these threat actors have utilized to compromise the victim’s environment and execute the ransomware.
These techniques cover what we observed in our last investigation and what other analysts have shared online:
- It attacked public-facing applications (in our case the threat actor exploited Proxy Logon vulnerability to gain access into the victim’s environment).
- Stolen credentials were used to gain initial access.
After gaining access, threat actors began executing their objectives:
- Deployed backdoor (Cobalt Strike b=Beacon) to access the environment.
- Used Cobalt Strike for lateral movement.
- Accessed servers using RDP through Cobalt Strike socks proxy.
- Compromised the Active Directory and gained full access to the environment.
- Evaluated the environment for servers containing critical data.
- Used publicly available tools and script like (PowerUpSQL).
Attacker used a group policy to create scheduled tasks which ran (net.exe) command to keep a password reset for a rarely used domain admin user.
After enumerating the environment, threat actors exfiltrated the data by using 7zip to compress the data and then uploaded it to their servers. A huge network traffic was observed in the time frame of one month. The exfiltration part is very important for the attacker in order to execute double extortion and make sure the victim will pay the ransom in order to not leak the data.
Running the Ransomware:
Once the data has been exfiltrated, threat actors customize the configuration and build the ransomware to include:
- Credentials for domain admins which will be used for network propagation using PsExec.
- Public key for the encryption.
- Ransom file extension.
- Customized ransom message.
- Services to be killed.
- Directories and file names to exclude.
- Other options
The threat actors then spread the ransomware through the environment. Threat actors use a group policy to roll out scheduled tasks to run the ransomware campaign manually on critical servers, ultimately propagating through the network and infecting other servers.
Commands Run by This Ransomware
Ransomware starting argumentsransom.exe –access-token test123454.
- Enumerate Universally Unique Identifier (UUID)wmic csproduct get UUID.
- Allow remote to local symbolic links (More info)fsutil behavior set SymlinkEvaluation R2L:1.
- Allow remote to remote symbolic linksfsutil behavior set SymlinkEvaluation R2R:1.
- Modify the registry to change MaxMpxCt settings to increase the number of requests allowed so the ransomware can spread through SMB with PsExecreg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f.
- Stop all IIS servicesiisreset.exe /stop.
- Delete all backups to make recovery difficultvssadmin.exe Delete Shadows /all /quiet.
- Delete shadow copieswmic.exe Shadowcopy Delete.
- Clear event logsfor /F \”tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \”%1\”.
- Mount network sharenet use server> /user:test.com\testuser pasword123 /persistent:no.
- Show the entries in the ARP to get IPs of all connected devicesArp -a.
- Use PsExec to infect other systems“C:\Users\ADMINI~1\AppData\Local\Temp\psexec.exe” -nobanner -accepteula \\<target device> -u test.com\testuser -p password@123 -s -d -f -c C:\Users\Administrator\Desktop\ransom-edited2.exe –verbose –extra-verbose –access-token test123454 –no-prop-servers server name> –propagated
BlackCat ransomware uses embedded PsEsexec tool which extracts to “” and connects C:\Users\<username>\AppData\Local\Temp\psexec.exeto other devices discovered through NetBIOS and checks connected devices using ARP table. In order to authenticate remote devices, BlackCat ransomware uses hardcoded credentials embedded in the executable.
Detecting BlackCat Ransomware
BlackCat ransomware threat actor used similar tactics in multiple breaches, so the below Splunk searches will help you detect these tactics.
- Detecting Cobalt Strike lateral movement and privilege escalationIndex=wineventlog source=system EventID=7045 Image_path=“*\$admin*” OR Image_path= “*\%comspec\%*” OR Image_path=“*\\\\pipe\\*”.
- Detecting PsExec usageIndex=wineventlog source=system EventID=7045 service_name=*psexec*.
- Detecting scheduled task through group policyIndex=wineventlog source=Microsoft-Windows-GroupPolicy EventID=4016 “Scheduled Tasks”
Indicators of Compromise
FILENAME – HASH
Build2.exe – 30fb2972af23faab1e1ba1482604f6584f60f935c5c8dab7be427920c65fc862
Psexecsvc.exe – 3c19fee379b4882971834a3d38f3f8b86de560114274375560433778cd505748
IP – DOMAIN
184.108.40.206 – yaduvov.com
Defending Against BlackCat Ransomware
BlackCat ransomware is an advanced and sophisticated ransomware, and these threat actors are experienced, but every attack has its unique traces, and OPSEC can fail to detect such attacks. Below is a breakdown of how you can protect and detect the attack in the early phases.
- Conduct external vulnerability assessment and penetration testing to make sure no vulnerable services are exposed to the internet.
- Stop any RDP, SSH, Telnet, etc. protocols that are directly exposed to the internet and use VPN with multi-factor authentication to access services in your environment.
- Only allow access to servers from jump servers and disable access between servers, so that lateral movement will be hard to achieve by the attackers.
- Install, update and test AV/EDR solutions to make sure they are securing your environment. Usually, companies detect protection issues after the attack happens.
- Use SIEM solutions to collect logs from systems and create use cases to detect any attack attempt. Ransomwares that currently clear event logs will make it harder to investigate an incident if the attack does happen.
- Monitor SIEM solutions 24/7 to detect the attack at the initial stage itself, if it occurs. Conduct compromise assessments to make sure your environment is not already compromised.
- Monitor network traffic logs for any abnormal increase in outgoing traffic to the internet.
- Block full internet access for internal servers when possible and limit internet access for specific services.
- Use multi-factor authentication in all accesses where possible.
- Enforce password change policy with the shortest acceptable time frame.
- Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion in the system where the data resides. Review domain controllers, servers, workstations, and Active Directories for new or unrecognized user accounts.
- Block PsExec usage and create use cases using EDR/SIEM to detect PsExec usage.
- Change service account password with shortest acceptable time frame.
- Enforce strong, randomized local administrator passwords. Use tools like Local Administrator Password Solution (LAPS) to achieve this.
- Implement proper network segmentation.