{"id":115803,"date":"2022-06-13T09:00:00","date_gmt":"2022-06-13T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=115803"},"modified":"2023-10-13T08:02:29","modified_gmt":"2023-10-13T15:02:29","slug":"the-many-lives-of-blackcat-ransomware","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/13\/the-many-lives-of-blackcat-ransomware\/","title":{"rendered":"The many lives of BlackCat ransomware"},"content":{"rendered":"\n
\n

April 2023 update<\/strong> \u2013 Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-0237 <\/strong>is now tracked as Pistachio Tempest <\/strong>and DEV-504<\/strong> is now tracked as Velvet Tempest<\/strong>.<\/p>\n\n\n\n

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy<\/strong><\/a>.<\/p>\n<\/blockquote>\n\n\n\n

The BlackCat ransomware, also known as ALPHV<\/a>, is a prevalent threat and a prime example of the growing ransomware as a service (RaaS) gig economy.<\/a> It\u2019s noteworthy due to its unconventional programming language (Rust), multiple target devices and possible entry points, and affiliation with prolific threat activity groups. While BlackCat\u2019s arrival and execution vary based on the actors deploying it, the outcome is the same\u2014target data is encrypted, exfiltrated, and used for \u201cdouble extortion,\u201d where attackers threaten to release the stolen data to the public if the ransom isn\u2019t paid.<\/p>\n\n\n\n

First observed in November 2021, BlackCat initially made headlines because it was one of the first ransomware families written in the Rust programming language. By using a modern language for its payload, this ransomware attempts to evade detection, especially by conventional security solutions that might still be catching up in their ability to analyze and parse binaries written in such language. BlackCat can also target multiple devices and operating systems. Microsoft has observed successful attacks against Windows and Linux devices and VMWare instances.<\/p>\n\n\n\n

As we previously explained<\/a>, the RaaS affiliate model consists of multiple players: access brokers, who compromise networks and maintain persistence; RaaS operators, who develop tools; and RaaS affiliates, who perform other activities like moving laterally across the network and exfiltrating data before ultimately launching the ransomware payload. Thus, as a RaaS payload, how BlackCat enters a target organization\u2019s network varies, depending on the RaaS affiliate that deploys it. For example, while the common entry vectors for these threat actors include remote desktop applications and compromised credentials, we also saw a threat actor leverage Exchange server vulnerabilities<\/a> to gain target network access. In addition, at least two known affiliates are now adopting BlackCat: DEV-0237<\/a> (known for previously deploying Ryuk, Conti, and Hive) and DEV-0504<\/a> (previously deployed Ryuk, REvil, BlackMatter, and Conti).<\/p>\n\n\n\n

Such variations and adoptions markedly increase an organization\u2019s risk of encountering BlackCat and pose challenges in detecting and defending against it because these actors and groups have different tactics, techniques, and procedures (TTPs). Thus, no two BlackCat \u201clives\u201d or deployments might look the same. Indeed, based on Microsoft threat data, the impact of this ransomware has been noted in various countries and regions in Africa, the Americas, Asia, and Europe.<\/p>\n\n\n\n

Human-operated ransomware attacks<\/a> like those that deploy BlackCat continue to evolve and remain one of the attackers\u2019 preferred methods to monetize their attacks. Organizations should consider complementing their security best practices and policies with a comprehensive solution like Microsoft 365 Defender<\/a>, which offers protection capabilities that correlate various threat signals to detect and block such attacks and their follow-on activities.<\/p>\n\n\n\n

In this blog, we provide details about the ransomware\u2019s techniques and capabilities. We also take a deep dive into two incidents we\u2019ve observed where BlackCat was deployed, as well as additional information about the threat activity groups that now deliver it. Finally, we offer best practices and recommendations to help defenders protect their organizations against this threat, including hunting queries and product-specific mitigations.<\/p>\n\n\n\n

BlackCat\u2019s anatomy: Payload capabilities<\/h2>\n\n\n\n

As mentioned earlier, BlackCat is one of the first ransomware written in the Rust programming language. Its use of a modern language exemplifies a recent trend where threat actors switch to languages like Rust or Go for their payloads in their attempt to not only avoid detection by conventional security solutions but also to challenge defenders who may be trying to reverse engineer the said payloads or compare them to similar threats.<\/p>\n\n\n\n

BlackCat can target and encrypt Windows and Linux devices and VMWare instances. It has extensive capabilities, including self-propagation configurable by an affiliate for their usage and to environment encountered.<\/p>\n\n\n\n

In the instances we\u2019ve observed where the BlackCat payload did not have administrator privileges, the payload was launched via dllhost.exe<\/em>, which then launched the following commands below (Table 1) via cmd.exe<\/em>. These commands could vary, as the BlackCat payload allows affiliates to customize execution to the environment.<\/p>\n\n\n\n

The flags used by the attackers and the options available were the following: -s -d -f -c<\/em>; –access-token<\/em>; –propagated<\/em>; -no-prop-servers<\/em><\/p>\n\n\n\n

\"Screenshot
Figure 1. BlackCat payload deployment options<\/figcaption><\/figure>\n\n\n\n
Command<\/strong><\/td>Description<\/strong><\/td><\/tr>
[service name] \/stop<\/td>Stops running services to allow encryption of data  <\/td><\/tr>
vssadmin.exe Delete Shadows \/all \/quiet<\/td>Deletes backups to prevent recovery<\/td><\/tr>
wmic.exe Shadowcopy Delete<\/td>Deletes shadow copies<\/td><\/tr>
wmic csproduct get UUID<\/td>Gets the Universally Unique Identifier (UUID) of the target device<\/td><\/tr>
reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services \\LanmanServer\\Parameters \/v MaxMpxCt \/d 65535 \/t REG_DWORD \/f<\/td>Modifies the registry to change MaxMpxCt settings; BlackCat does this to increase the number of outstanding requests allowed (for example, SMB requests when distributing ransomware via its PsExec methodology)<\/td><\/tr>
for \/F \\”tokens=*\\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \\”%1\\”<\/td>Clears event logs<\/td><\/tr>
fsutil behavior set SymlinkEvaluation R2L:1<\/a><\/td>Allows remote-to-local symbolic links; a symbolic link<\/a> is a file-system object (for example, a file or folder) that points to another file system object, like a shortcut in many ways but more powerful<\/td><\/tr>
fsutil behavior set SymlinkEvaluation R2R:1<\/td>Allows remote-to-remote symbolic links<\/td><\/tr>
net use \\\\[computer name]  \/user:[domain]\\[user] [password] \/persistent:no<\/td>Mounts network share<\/td><\/tr><\/tbody><\/table>
Table 1. List of commands the BlackCat payload can run<\/figcaption><\/figure>\n\n\n\n

User account control (UAC) bypass<\/h3>\n\n\n\n

BlackCat can bypass UAC, which means the payload will successfully run even if it runs from a non-administrator context. If the ransomware isn\u2019t run with administrative privileges, it runs a secondary process under dllhost.exe<\/em> with sufficient permissions needed to encrypt the maximum number of files on the system.<\/p>\n\n\n\n

Domain and device enumeration<\/h3>\n\n\n\n

The ransomware can determine the computer name of the given system, local drives on a device, and the AD domain name and username on a device. The malware can also identify whether a user has domain admin privileges, thus increasing its capability of ransoming more devices.<\/p>\n\n\n\n

Self-propagation<\/h3>\n\n\n\n

BlackCat discovers all servers that are connected to a network. The process first broadcasts NetBIOS Name Service (NBNC) messages to check for these additional devices. The ransomware then attempts to replicate itself on the answering servers using the credentials specified within the config via PsExec.<\/p>\n\n\n\n

Hampering recovery efforts<\/h3>\n\n\n\n

BlackCat has numerous methods to make recovery efforts more difficult. The following are commands that might be launched by the payload, as well as their purposes:<\/p>\n\n\n\n