After several ransomware attacks against major enterprises, the BlackCat gang is drawing the attention of security researchers who have connected it to other groups.
According to the Federal Bureau of Investigation (FBI), BlackCat (ALPHV) Ransomware as a Service has compromised at least 60 entities worldwide.
BlackCat, an apparent descendant of the BlackMatter ransomware group, has been operating since at least November and has launched major attacks such as the disruption of OilTanking GmbH in January and the attack on aviation company Swissport in February. The ransomware group has also claimed responsibility for attacks against Florida International University and the University of North Carolina A&T.
The FBI published an alert about BlackCat ransomware that included indicators of compromise. The FBI said the ransomware gang has attacked at least 60 organisations across the globe as of last month, often using “previously compromised user credentials” to gain access to victims’ networks.
Matthew Radolec, senior director of incident response and cloud operations at Varonis, said, “Most of BlackCat’s attacks come from the increasingly common Ransomware as a Service (RaaS) model.
“If we look at 2021 to today, we have a change that REvil started,” Radolec added. “This concept of ransomware as a service is gaining in popularity, which is one of the fundamental differences. We’re talking about people creating a toolkit. They are encouraging and recruiting operators almost like a SaaS company; they offer a Ransomware as a Service toolkit to deliver your ransomware where they create the software for you.”
While the group has not claimed the same volume of victims as other ransomware gangs, BlackCat has been allegedly responsible for some of the most devastating ransomware attacks of the last several months.
According to Cybereason, BlackCat consistently uses a double extortion approach and has at times implemented triple extortion via the threat of a DDoS attack. As more groups like REvil and Lapsus$ continue to be hurt by arrests, BlackCat and other RaaS groups have greater opportunities.
BlackCat operators are less known than the cybercriminals behind other notorious ransomware groups. The RaaS operation gives the operators a “sustainable model” that puts distance between them and their affiliates.
The recent ransomware attacks by BlackCat have put the group on the radar of cybersecurity analysts like Cybereason and Kaspersky Lab, which have released a report in recent weeks analysing the group. The researchers identify one of the key aspects of BlackCat that makes them unique from other ransomware groups and effective in deploying their malware.
While every ransomware group varies in the code they use, BlackCat uses Rust’s programming language, which a few others use. According to Cybereason, the encryption process is speedy because of Rust’s emphasis on performance. In addition, Rust is cross-platform, which makes it easier to create variants for both Windows and Linux.
Another similarity in the reports on BlackCat was that both Cybereason and Kaspersky pointed out the links between BlackCat and the BlackMatter ransomware gang. In November, the BlackMatter group said that it would be disbanding its operations, but researchers have found connections between the two groups.
According to CISA, BlackMatter posed a significant threat to the US as the group repeatedly targeted critical infrastructure in the country, like the Colonial Pipeline attack.
While Cybereason pointed to BlackCat’s confirmation of its relation to BlackMatter, Kaspersky found a unique connection between the two groups and their code. During its examination of the ransomware gang, the Kaspersky team found evidence of an exfiltration malware called Fendr.
According to Kaspersky’s report, this tool, which BlackCat has slightly modified, has only ever been found in BlackMatter ransomware. While Cybereason did not discuss the Fendr code, its researchers did point out a connection they found between BlackCat and another ransomware gang.
Cybereason’s Nocturnus research team found many similarities between BlackCat’s code and infrastructure and LockBit. The report describes how each group uses a similar code.
According to the Cybereason report, the profiler variants linked to LockBit use almost the same code as the BlackCat launcher, except for slight variations. The only difference in functionality is that they do not attempt to download anything, they only collect profiling data, with the difference being that instead of collecting the machine’s Window UUID, the profiler checks if LockBit is already installed on the machine.
These groups have been increasingly successful at monetising their intrusions for the past few years, while law enforcement has been chipping away at the various participants — underground exchange forums and access brokers, malware developers and ransomware operators. It seems that payment schemes will be redeveloped in the next couple of years.