Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
BlackCat ransomware, also known as ALPHV, was first observed in November 2021. It operates as a ransomware as a service (RaaS), where affiliates pay for software that enables them to launch ransomware attacks.
BlackCat ransomware operators allow affiliates to customize payloads, giving them the opportunity to target different operating systems (Windows and Linux) and corporate environments. The ransomware is written in the Rust programming language, which presents a challenge for traditional security solutions to analyze binaries generated by it.
For more information about BlackCat and other human-operated ransomware campaigns, read these posts:
There is no one-size-fits-all response if you have been victimized by ransomware. To recover files, you can restore backups. There is no guarantee that paying the ransom will give you access to your files.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
BlackCat is a command-line driven, human-operated, flexible malware that could employ a range of encryption techniques. Below are some of the notable behaviors of the ransomware:
Uses an access token to run. The access token is a 32-byte token randomly chosen. Below is an example of a command that launches BlackCat:
BlackCat.exe --access-token 12345
Bypasses user account control (UAC) to allow a user without administrative privileges to run it. It uses the Component Object Model (COM) CMSTPLUA interface {3E5FC7F9-9A51-4367-9063-A120244FBEC7} to escalate privileges.
Discovers other endpoints on the same network as the victim host by sending a NetBIOS Name Service (NBNC) broadcast message. The malware then uses PsExec to try to infect responding servers.
Increases the number of outstanding SMB client requests allowed. It sets the maximum client connection limit to 65535 by modifying the registry to change MaxMpxCt settings. It uses the command below to set the MaxMpxct to 65535:
Terminates processes and stops services that are specified in its embedded configuration file. It also enumerates and stops any dependent services of the target service. For example, it uses the command cmd.exe /c "iisreset.exe /stop" to stop the internet information service on the server.
Modifies the boot loader to prevent recovery and automatic repair on the Windows endpoint. It disables the boot recovery mode using the following command:
C:\Windows\system32\cmd.exe” /c “bcdedit /set {default} recoveryenabled No
Uses wevutil.exeto clear Windows event logs to prevent analysis. It uses the command below to clear the event logs:
“C:\Windows\system32\cmd.exe” /c “cmd.exe /c for /F \”tokens=*\” %1 in (‘wevtutil.exe el ‘) DO wevtutil.exe cl \”%1\””
Disables and deletes Volume Shadow Copy Service and Hyper-V Volume Shadow Copy requester service. It uses the wmic.execommand to delete the shadow copies on all volumes by using the command below:
File encryption is multi-threaded. The AES-128 CTR or ChaCha20 algorithm can be used to encrypt file contents depending on the settings, with nonce vectors containing 8 or 12 null bytes respectively. In addition, various file encryption modes can be used; below are their brief descriptions.
BlackCat creates intermediary files called “checkpoints-<encrypted file name>” during the encryption process.
It generates 16 random bytes that will be used to derive the AES key.
A 4-byte border "19 47 B3 FF" that separates the encrypted file content from the encrypted AES key is written to the file.
Displays ransom note
After successfully encrypting the files on the target device, the ransomware writes the ransom note named “RECOVER-${EXTENSION}-FILES.txt,” where “${EXTENSION}” is the extension of the encrypted files as specified in the config. An example of the ransom note can be seen below:
Cybercriminals behind ALPHV (BlackCat) ransomware are now allowing their victims to check whether their data has been stolen and published on a leak page. They are providing websites where victims can use the provided search function to find leaked data.
BlackCat replaces the computer background display with the following note:
Avoid opening suspicious and irrelevant emails. The attachments and links present in these messages should not be opened/clicked, as they can cause system infections. Always use official and verified download channels. Additionally, all programs must be activated and updated using legitimate tools obtained from official sources.
Use multifactor authentication (MFA) where possible.
To learn more about preventing ransomware or other malware from affecting individual devices, read about preventing malware infection.
You can also browse aka.ms/ransomwaresolutions for general information and frequently asked questions about ransomware, defense against ransomware, and ransomware incident response playbook.
Guidance for enterprise administrators and Microsoft 365 Defender customers
Ransomware more often attacks enterprises than individuals. Following these mitigation steps can help prevent ransomware attacks:
Review antivirus logs for indications that they were unexpectedly turned off.
Implement network segmentation.
Require administrator credentials when installing software.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
Install updates for/patch operating systems, software, and firmware as soon as they are released.
Audit user accounts with administrative privileges and configure access controls with the least privilege in mind.
Keep backups so you can recover data affected by ransomware and destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.
Turn on attack surface reduction rules, including rules that block ransomware activity and other activities associated with human adversaries. To assess the impact of these rules, deploy them in audit mode.
Utilize the Microsoft Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
Turn on tamper protection features to prevent attackers from stopping security services.
Microsoft Defender Antivirus raises an alert if it detects this threat on your device. Microsoft Defender Antivirus automatically removes threats as they are detected. If this threat is detected in your environment, we recommend that you immediately investigate it.