Who is BlackCat? Behind the Feline Ransomware Gang

Think of a black cat and your mind probably wanders to the realm of superstition and folklore.

But in the cybersecurity world, the black cat is more than just an animal that many people are superstitious about. 

While data breaches traditionally lurked in the shadows of the Dark Web, a new ransomware strain called BlackCat (also known as ALPHV and Noberus) has emerged as a significant threat to organisations and individuals. 

In this article, we’ll tell you everything you need to know about the BlackCat hacker group, who it is, who it targets, and how you can defend against it.

What is BlackCat? 

BlackCat, also known as ALPHV and Noberus, is a ransomware group that made its debut in mid-November 2021. The gang employs the Rust programming language for its payloads, combining the performance of C/C++ with enhanced memory management capabilities. This cyber gang operates by creating public data leak websites on the open internet, compelling victims to pay a hefty ransom to prevent the full exposure of their confidential data.

First detected in 2021, BlackCat stands out for its unprecedented approach: creating public data leak websites accessible on the open internet. This bold tactic aims to coerce victims into paying substantial ransom amounts to prevent the full exposure of their confidential data to the public.

By publicly exposing victims' data and threatening to disclose it unless a ransom is paid, BlackCat strikes fear and uncertainty into the hearts of those targeted. This aggressive approach not only adds urgency to the situation but also amplifies the potential consequences for affected individuals and organisations.

The emergence of the BlackCat gang signifies a noteworthy milestone in the landscape of cyber threats. Particularly striking is their utilisation of the Rust programming language to engineer the payload for their operations. This strategic decision highlights their dedication to optimizing efficiency and resilience in carrying out nefarious activities.

The BlackCat ransomware's sophisticated architecture reflects the cyber gang's meticulous approach to their criminal endeavours. This malware operates with precision, demanding precise access tokens and parameters for execution. Its encrypted configuration file holds detailed instructions, encompassing targeted services and processes for cessation, whitelisted directories, files, and extensions, alongside a repository of pilfered credentials from victim environments. This intricate design underscores the gang's advanced prowess, enabling tailored attacks for heightened impact and profitability.

The cybercriminal syndicate responsible for BlackCat ransomware employs a variety of extortion tactics, with a predominant use of double extortion methods and occasional resort to triple extortion tactics. These tactics involve threatening to disclose stolen data and launching distributed denial-of-service (DDoS) attacks against targeted infrastructure.

Demands for ransom payments are common in BlackCat ransomware attacks, often amounting to millions in Bitcoin and Monero. Interestingly, some payments are accepted below the initial demand, indicating a degree of negotiation flexibility on the part of the attackers.

What is BlackCat Rust? 

Rust is a systems programming language that prioritises performance, reliability, and safety. Developed by Mozilla, Rust is designed to empower developers with the tools needed to build efficient and secure software. Its key features include a strong type system, ownership and borrowing rules that prevent common programming errors like null pointer dereferences and data races, and fearless concurrency, which allows multiple threads to execute without risking data corruption.

The usage of Rust programming language has emerged as a strategic choice for crafting advanced malware like BlackCat ransomware. Renowned for its performance comparable to C/C++ and superior memory management capabilities, Rust provides cyber attackers with a powerful tool to circumvent detection mechanisms and amplify the impact of their operations.

At its core, the operational framework of BlackCat ransomware demands precise execution, requiring an access token consisting of a 32-byte value and other specified parameters. This level of customisation empowers the malware to adapt its behaviour to the intricacies of each targeted system, optimising its infiltration capabilities and amplifying its destructive potential.

Furthermore, BlackCat ransomware boasts an encrypted configuration file housing vital operational instructions. These include an exhaustive roster of services and processes slated for termination, directories and files exempted from encryption, and a cache of pilfered credentials harvested from the victim's digital ecosystem. By meticulously fine-tuning these parameters, the BlackCat gang ensures seamless execution of their malicious agenda while mitigating the risk of detection or intervention by security measures.

History of BlackCat

The cyber gang behind BlackCat's origins date back to the early 2010s when a group of highly skilled hackers began collaborating to develop and distribute various forms of malware. Over time, their operations expanded, and by the mid-2010s, they had established themselves as prominent players in the cybercriminal underworld.

Initially focusing on smaller-scale cyber attacks, such as phishing scams and credit card fraud, the group gradually shifted its focus towards more sophisticated criminal activities, including ransomware attacks. This transition coincided with the rise of ransomware as a profitable business model for cybercriminals, offering the potential for substantial financial gains with a relatively low risk of detection and prosecution.

As the group's operations grew in scope and complexity, they began developing and distributing their own custom-built ransomware strains, including BlackCat. Leveraging their expertise in malware development and encryption techniques, they honed their tactics to target high-value entities such as corporations, government agencies, and critical infrastructure providers.

The BlackCat malware first caught the attention of researchers from the MalwareHunterTeam in 2021. By 2022, an FBI advisory linked numerous developers and money launderers to BlackCat, connecting them with two now-defunct ransomware as a service (RaaS) groups – DarkSide and Blackmatter. This revelation highlighted the sophisticated operations of BlackCat and its potential associations with organised cybercrime networks.

There is a very interesting new Rust coded ransomware (first ITW?), BlackCat.
Another one used to encrypt companies' networks.
Already seen some victims from different countries, from the second half of past November.
Also look at that UI. Back to '80s?
😂@demonslay335 @VK_Intel pic.twitter.com/YttzWWUD3c

— MalwareHunterTeam (@malwrhunterteam) December 8, 2021

The alleged association with DarkSide and Blackmatter, two prominent ransomware-as-a-service (RaaS) groups, provided the cyber gang behind BlackCat with access to advanced tools, resources, and expertise. This collaboration allowed them to expand their reach and amplify their impact, further solidifying their position as a formidable force in the world of cybercrime.

Since its initial detection, BlackCat has undergone rapid evolution, continuously introducing new variants and tactics to circumvent detection and amplify its impact. The malware's creators have demonstrated a remarkable ability to adapt, consistently updating their code to exploit vulnerabilities and stay ahead of security protocols.

Despite efforts by law enforcement agencies and cybersecurity experts to disrupt their operations, the cyber gang behind BlackCat has proven resilient, continually evolving its tactics and infrastructure to evade detection and prosecution.

Who does BlackCat target?

BlackCat's targets include a broad spectrum of industries, spanning finance, healthcare, and government sectors. Its typical approach involves infiltrating networks, encrypting data, and demanding substantial ransoms for decryption keys. The financial toll on victims has been staggering, with losses reaching into the millions of dollars.

In a wave of digital terror that swept through the early months of 2023, BlackCat unleashed a barrage of attacks targeting esteemed organisations worldwide. Among their victims were Grupo Estrategas EMM, NextGen Healthcare, Solar Industries India, Instituto Federal Do Pará, Munster Technological University, and Lehigh Valley Health Network.

History of BlackCat attacks

Variant Sphynx (2023) 

But the tale took a darker turn with the emergence of a new weapon in BlackCat's arsenal: Variant Sphynx. This sophisticated version, unveiled in February 2023, boasted enhancements designed to enhance its speed and stealth capabilities. Sphynx's deployment marked a significant escalation in BlackCat's capabilities, catching cybersecurity experts off guard and leaving organisations scrambling to fortify their defences.

At its core, Variant Sphynx featured intricate code optimisations that enabled lightning-fast execution and evasion of traditional detection mechanisms. Leveraging advanced obfuscation techniques and polymorphic encryption algorithms, it morphed its signature with each version, confounding even the most vigilant cybersecurity measures.

By May of that same year, the group's reign of terror had left over 350 victims in its wake, a chilling testament to the efficacy of Sphynx's advancements. From multinational corporations to educational institutions and healthcare providers, no sector was spared from the ruthless onslaught of BlackCat's cyber assaults.

As organisations raced to shore up their cybersecurity protocols, the digital battleground was poised for an intensified struggle between defenders and aggressors in the ongoing war against cyber threats. The rise of Variant Sphynx served as a stark reminder of the relentless innovation driving malicious actors in their pursuit of exploiting vulnerabilities in the digital realm.

Reddit Breach (2023)

BlackCat claimed responsibility for breaching Reddit's systems in June 2023, managing to extract a staggering 80 GB of compressed data. Their demands were clear: a ransom of $4.5 million from Reddit. What made this attack stand out was its departure from the group's usual tactics; unlike their typical ransomware campaigns, no data encryption was employed. This left Reddit and its users vulnerable to cyber extortion.

From a technical standpoint, the breach exposed critical vulnerabilities in Reddit's cybersecurity infrastructure, raising questions about the platform's preparedness to fend off sophisticated cyberattacks. Analysts speculated that the attackers exploited weaknesses in Reddit's network architecture or possibly leveraged social engineering tactics to gain unauthorised access. The lack of data encryption further underscored lapses in Reddit's security protocols, underscoring the urgent need for robust cybersecurity measures.

Downfall and New Attacks (2023-2024)

On December 19, 2023, the FBI executed a coordinated operation seizing control of the BlackCat ransomware gang's website. That same day, visitors to the group's website were greeted with a chilling message from the FBI: "The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Alphv Blackcat Ransomware." This takedown marked a decisive victory in the battle against cybercrime, with multiple websites seized and a decryption tool released by the FBI to empower ransomware victims to reclaim their files without succumbing to the demands of these cyber criminals.

As the aftermath unfolded, a new chapter in the fight against cyber threats commenced. With the U.S. Department of State offering rewards of up to $10 million for information leading to the identification or location of BlackCat ransomware gang leaders and an additional $5 million for tips on individuals involved in BlackCat ransomware attacks, the world braced itself for the next onslaught in the ever-evolving landscape of digital warfare.

However, the fallout from the operation revealed a resilient adversary unwilling to yield to law enforcement pressure. Despite the setback, BlackCat swiftly regrouped, employing improvised communication methods to resume their infamous activities. A subsequent FBI advisory shed light on the gang's resurgence, detailing their renewed focus on targeting the healthcare sector in the wake of intensified law enforcement action.

The advisory also highlighted the release of the BlackCat 2.0 Sphynx update, underscoring the group's commitment to innovation and adaptability. This new version boasted enhanced defence evasion capabilities and expanded targeting to encompass VMware environments, signalling a worrisome escalation in the sophistication of ransomware tactics.

ALPHV/BlackCat affiliates continued to employ advanced social engineering tactics, leveraging legitimate remote access tools and frameworks to infiltrate target networks. Some affiliates even eschewed traditional ransomware deployment in favour of direct data theft and extortion, amplifying the urgency for organisations to fortify their cyber defences.

BlackCat Attack Characteristics

BlackCat attacks are characterised by sophisticated tactics and stealthy infiltration techniques. The ransomware leverages previously compromised user credentials to gain initial access, swiftly compromising Active Directory user and administrator accounts.

Before executing the ransomware, the malware conducts data exfiltration, pilfering sensitive information from victims, including data stored in cloud providers utilised by companies or clients. This pre-emptive data theft adds a layer of coercion, compelling victims to comply with ransom demands under the threat of public exposure or further exploitation of their confidential information.

Once inside the victim's network, BlackCat employs Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) for ransomware deployment. This initial deployment is facilitated by PowerShell scripts combined with Cobalt Strike, systematically disabling security features within the network. Furthermore, BlackCat adeptly utilises various batch and PowerShell scripts during infection, demonstrating its adaptability and evasion capabilities.

Additionally, BlackCat ransomware adeptly utilises Windows administrative tools and Microsoft Sysinternals tools during the compromise process, underscoring the sophistication and adaptability of its attack vectors.

Similarly, BlackCat members employ sophisticated social engineering tactics and comprehensive open-source research to infiltrate targeted companies. Posing as IT or helpdesk personnel, they utilise phone calls or SMS messages to extract credentials from unsuspecting employees, thereby gaining initial access to the target network. Utilising uniform resource locators (URLs), they engage in live chats with victims to convey demands and kickstart processes for restoring encrypted files.

Once inside a victim's network, BlackCat deploys a suite of remote access software, including AnyDesk, Mega sync, and Splashtop, in preparation for data exfiltration. They establish a user account, "admin," leveraging Kerberos token generation for domain access. Legitimate remote access and tunnelling tools like Plink and Ngrok are employed for lateral movement within the network. To maintain control, they utilise beacons such as Brute Ratel C4 and Cobalt Strike for command and control servers.

By employing the Evilginx2 framework, Blackcat members conduct adversary-in-the-middle attacks, facilitating the acquisition of multifactor authentication (MFA) credentials, login credentials, and session cookies. Passwords obtained from various sources enable further lateral movement across the network. To avoid detection, they leverage allow listed applications like Metasploit while simultaneously clearing logs on the exchange server post-installation on the domain controller.

Read: Top 10 Best and Most Famous Hackers in the World

Data exfiltration and ransomware deployment follow, with the ransom note embedded as a file.txt. Additionally, BlackCat has been reported to employ POORTRY and STONESTOP to terminate security processes. Some affiliates opt to exfiltrate data and extort victims without deploying ransomware, communicating via TOR, Tox, email, or encrypted applications. Subsequently, they delete victim data from the compromised systems.

As part of their extortion strategy, ALPHV Blackcat members offer unsolicited cyber remediation advice post-payment, promising "vulnerability reports" and "security recommendations" to prevent future re-victimization. The resulting encrypted files adopt the naming convention: RECOVER-(seven-digit extension) FILES.txt.

Defending Against BlackCat

When devising defences against BlackCat ransomware, it is essential to take the following recommendations into account:

1. Ensure that software is regularly updated with the latest security patches.
2. Maintain robust communication with employees, emphasising the importance of not opening or interacting with suspicious emails and promptly reporting them.
3. Employ a backup system to back up server files consistently.
4. Deploy antivirus software and/or endpoint detection and response solutions on all endpoints.
5. Implement two-factor authentication for all services to enhance security.

If a compromise is detected, organisations should take the following steps:

1. Isolate or disconnect potentially affected hosts from the network.
2. Reimage compromised hosts to remove any malicious elements.
3. Issue new account credentials to affected users.
4. Conduct a thorough review of artefacts such as running processes/services, abnormal authentications, and recent network connections.

Report any compromises or phishing incidents promptly to the appropriate authorities, such as CISA or MS-ISAC, and file a complaint with the FBI’s Internet Crime Complaint Center (IC3) or local FBI Field Office.

Organisations increasingly recognise the importance of implementing potent mitigation strategies to defend against ransomware attacks like BlackCat. Here are some strategies that encompass a comprehensive array of measures aimed at fortifying defences and mitigating risks:

• Secure remote access tools by implementing application controls to manage and regulate software execution.
• Adhere to the recommendations outlined in CISA's Guide to Securing Remote Access Software.
• Utilise network monitoring tools to identify and investigate abnormal activity and potential ransomware breaches.
• Train employees regularly on recognising and responding to social engineering and phishing attacks.
• Monitor internal mail and messaging traffic to detect suspicious activity and deviations from normal network traffic.
• Leverage free security tools to prevent users from being redirected to malicious websites by cyber threat actors.
• Maintain up-to-date antivirus software from reputable vendors to detect and protect against malware infections effectively.