The ALPHV ransomware variant, also known as Noberus, was first identified in November of 2021. Threat actors describe it as a next-generation ransomware-as-a-service (RaaS) version that includes four encryption modes and two encryption algorithms (AES and ChaCha20). ALPHV is true cross-platform malware and affects operating systems such as Windows, ESXI, Debian, Ubuntu and ReadyNas.
On March 16, 2022, security specialists identified a new version of BlackCat ransomware (so named because the software displays a black cat on the victim’s payment site). These experts also noted that some previous YARA rules no longer match, which will make it difficult to find malicious files.
Like the previous version of ALPHV, BlackCat is written in the Rust programming language and is not packed or obfuscated and is executed via a command line or PowerShell with necessary options.
Users can access a full list of options by executing the ransomware with the “--help” parameter. See below.
What’s New in BlackCat?
While BlackCat shares many similarities and capabilities with ALPHV, it does include many new functions. These include:
· --drag-and-drop target
· --no-vm-kill-names <NO_VM_KILL_NAMES>
BlackCat includes more functions that previous versions, and in addition, the configuration file is not embedded into the sample anymore. Instead, threat actors manually drop the configuration file into a victim’s environment.
How is BlackCat Executed?
BlackCat must be executed using the following order: --access-token <ACCESS_TOKEN> [OPTION] [SUBCOMMAND].
Similar to ALPHV, with BlackCat, the encryption process won’t start without the access token and produces an error message if users attempt to execute it.
By viewing this sample statically, we can observe the similarity in the preparation process. To execute all commands, BlackCat uses the “cmd/c” string and the “Wevtutil.exe” Windows utility to obtain access to the event logs.
From there, BlackCat obtains the Machine GUID from the registry and UUID using the wmic command:
It uses the “fsutil” system utility to enable “remote-to-remote” and “remote-to-local” symbolic links:
· fsutil behavior set SymlinkEvaluation R2R:1
· fsutil behavior set SymlinkEvaluation R2L:1
BlackCat deletes all volume shadow copies with the “vssadmin.exe” utility and empties the recycle bin.
Also, BlackCat uses the “PsExec” utility, which is compressed with zlib and is stored in the sample. This utility enables users to execute programs on remote Windows machines.
It changes the maximum number of simultaneous outstanding client requests to the server by writing the maximum possible value (65535) to the “MaxMpxCt” parameter in the register.
· reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\ Parameters/v MaxMpxCt /d 65535
When it comes to file encryption, BlackCat looks for all available volumes on the computer by obtaining their path names.
If the found volume doesn’t have a path name, it will be mounted.
From there, BlackCat starts to search files using the “FindFirstFile” and “FindNextFile” functions. Like the previous version of ALPHV, BlackCat encrypts files with the AES encryptions algorithm and uses the hardware-supported instructions “aeskeygenassist,” “aesenc,” and “easimc.”
If AES is not supported, BlackCat will use the ChaCha20 encryption algorithm.
While BlackCat is a new version of ransomware, it does use functionality similar to that of the previous ALPHV version. For example, it still uses AES and ChaCha20 encryption algorithms; includes the packed “PsExec” utility; abuses the “fsutil” utility; searches the computer’s hidden partitions to mount it; changes the same registry keys; clears the recycle bin; and deletes shadow copies via “vssadmin.exe.”
However, the new version does not contain configuration, so it can be executed without it —functionality that makes it more difficult to analyze. Additionally, the old YARA rules that applied to the previous version do not work with the new version of BlackCat.
All of this makes it even more important to use the most effective anti-malware solutions possible. These solutions should be capable of identifying any cyberthreat ― even those they’ve never seen before so they can immediately shut them down before harm can be done.
Detected by Acronis
Acronis is a Swiss company, founded in Singapore. Celebrating two decades of innovation, Acronis has more than 2,000 employees in 45 locations. Acronis Cyber Protect solution is available in 26 languages in over 150 countries and is used by 18,000 service providers to protect over 750,000 businesses.