Take a Product Tour Request a Demo Cybersecurity Assessment Contact Us

Stories

The latest cybersecurity trends, best practices,
security vulnerabilities, and more

trellix intelligence

Trellix Global Defenders: BlackCat Ransomware as a Service - The Cat is certainly out of the bag!

Threat Summary

Blackcat also known as ALPHV/Noberus is a Ransomware as a Service provider originally being detected around the end of November 2021. While analyzing the campaign we discovered several important aspects of this ransomware including operational similarity with previous ransomware families such as Darkside, Blackmatter and Revil. It is understood that Blackcat is potentially actively recruiting affiliates to increase proliferation and offering lucrative financial deals related to profit sharing of up to 90% in some cases.

Blackcat has potentially been attributed to a spate of recent attacks spread across various critical sectors such as energy, transportation and utilities.

This threat actor Is continuously updating their services and adding features and modifying their code to provide advanced penetration capabilities for It’s affiliates. Keeping track of this threat groups activities Is extremely crucial and organisations can stay updated by keeping an eye on the IOC's and updates being provided by the Trellix ATR team via our Threat Dashboard and Trellix Insights platform.

Figure 1: Trellix Insights - Blackcat Campaign
Figure 1: Trellix Insights - Blackcat Campaign
Figure 2: Attack Analysis
Figure 2: Attack Analysis

An analysis of the attack flow shows typical pre-execution and post execution stages of a ransomware incident. The initial access is gained either via leaked credentials or through exposed remote access software. Following this it is clear the threat actor spends a good amount of time compromising various defenses such as Windows Defender , enabling better data exfiltration by increasing connection limits on remote connections, discovering network shares etc. The actual encryption part seems to come at later stage similar to what we have seen with other Ransomware families such as Darkside etc.

Why Is this Important?

So what makes BlackCat different than previous ransomware as a service operators? the answer is many. This ransomware has been written using a programming language known as “Rust” diverging from common programing languages such as C/C++ in which previous ransomwares has been written in and is more widely understood and analyzed by threat researchers and defenders. The advantage of using “Rust” is maximum platform support in terms of OS that this ransomware can be executed on, potentially hugely widening the exposure for organisations. The next aspect is customization capabilities available in the malware and how it has embedded a lot of disparate capabilities in a modular self- contained package, it even has a help menu! Perfectly suitable for newbie affiliates. The notable capabilities include embedded PsExec, Powershell process migration capabilities and ability to infect VMWare ESXi services. The configuration options shown bellow allows the affiliates to customize how they execute the ransomware in the victims environment.

Figure 3: Two different Blackcat Samples showing different capabilities
Figure 3: Two different Blackcat Samples showing different capabilities
Figure 4: Blackcat embedded configuration file with victim specific data preloaded
Figure 4: Blackcat embedded configuration file with victim specific data preloaded

The most important aspect is possibly the fact that during analysis we discovered that each sample had configuration files embedded that included information such as Usernames and passwords for the target victims to facilitate lateral movement(potentially gathered from previous breaches or bought password dumps). We also noticed that a unique access token is used to generate an unique victim identifier and a unique link for Blackcat’s “Tor” webpage for the ransomware negotiations to take place. This is specifically designed to keep security researchers and law enforcement out of the conversations as well as defeating some automated sandboxing capabilities that does not inject sample specific attributes.

Defenders Guidance

One of the hardest part of this ransomware family is keeping track of prevalence information. The reason being that almost every sample has a different set of IOC's associated with it(hash, tor url , access tokens, config files). So this is where we have to resort to more advanced behavioral characteristics and properties of the malware. Establishing relationship between the various samples might be extremely important at an early stage of an attack to understand the threat actor and their associated tactics, a new feature added to Trellix Insights provides just that:

Figure 5: Sample relationship based on similarity and campaign relationship
Figure 5: Sample relationship based on similarity and campaign relationship

Like with every ransomware attack the signs of the presence of the threat actor are visible In the early part of the attack lifecycle. Use of LOLBins and Dual Intent tools to land and expand are critical signals that should be captured by defenders, both EDR and ENS ATP provides early visibility Into the pre-execution phase of the attack as well as Post execution phases.

Figure 6: Post Execution ENS ATP Detections for RealProtect
Figure 6: Post Execution ENS ATP Detections for RealProtect
Figure 7: EDR Analysis of Blackcat Sample
Figure 7: EDR Analysis of Blackcat Sample

Point to be noted here is that depending on the sample the data collected EDR trace analysis could appear differently. Having behavioral analysis and protection capabilities is critical for defenders during our testing both ENS Realprotect static and cloud got trigged and Enhanced remediation recovered the encrypted systems successfully.

Figure 8: Encrypted Endpoint
Figure 8: Encrypted Endpoint
Figure 9: Endpoint Rolled Back
Figure 9: Endpoint Rolled Back

Being able to analyze threats fully and understand its behavior is crucial especially in a malware that is changing its attributes rapidly, Trellix Detection on Demand provides additional sampling capability along with endpoint integration to further enhance defenses and detection capabilities.

Figure 10: Trellix Detection on Demand analysis providing additional details, dropped payloads and registry changes as well as complete behavioral analysis
Figure 10: Trellix Detection on Demand analysis providing additional details, dropped payloads and registry changes as well as complete behavioral analysis

Summary

Organisations need to build resilient defenses against ransomware threats and not rely on single control/defenses, we can expect to continue to see more innovation from threat actors such as the ones highlighted here, fundamentally the following provides an effective security strategy against ransomware threats

Figure 11: Ransomware Defense Strategy
Figure 11: Ransomware Defense Strategy

Get the latest

Stay up to date with the latest cybersecurity trends, best practices, security vulnerabilities, and so much more.
Please enter a valid email address.

Zero spam. Unsubscribe at any time.