Executive Summary
BlackCat, also known as ALPHV or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. BlackCat is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. BlackCat is marketed as ALPHV on cybercrime forums but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. BlackCat has been observed being deployed in ransomware attacks since November 18, 2021.
According to Microsoft, two of the most prolific affiliate groups associated with ransomware deployments have switched to deploying BlackCat. Microsoft tracks one of these affiliate groups as DEV-0237. Also known as FIN12, DEV-0237 is notable for its distribution of Hive, Conti, and Ryuk ransomware. The other group is DEV-0504 which was responsible for deploying BlackCat ransomware in companies in the energy sector, the fashion, tobacco, IT, and manufacturing industries, among others.
While BlackCat’s arrival and execution vary based on the actors deploying it, the outcome is the same—target data is encrypted, exfiltrated, and used for “double extortion,” where attackers threaten to release the stolen data to the public if the ransom isn’t paid.
In this blog, we provide details about the ransomware’s techniques and capabilities on Microsoft Windows and Netwitness detections for BlackCat Ransomware.
Delivery
Consistent with the RaaS model, threat actors utilize BlackCat as an additional payload to their ongoing campaigns. While their TTPs remain largely the same (for example, using tools like Mimikatz and PsExec to deploy the ransomware payload), BlackCat-related compromises have varying entry vectors, depending on the ransomware affiliate conducting the attack. For example, the common entry vectors for these threat actors include:
- The exploitation of common vulnerabilities in network infrastructure devices such as VPN gateways and remote desktop protocol (RDP) hosts.
- Compromised credentials to access internet-facing remote access software.
- Leverage Microsoft Exchange server vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to gain target network access.
Once they have gained access, PsExec can then be used to distribute the ransomware payload or the group policies are modified which results in a scheduled task being created, on each host, that launches the malicious file.
Configuration
Each victim specific BlackCat ransomware binary has an embedded JSON data structure (Figure 1) that contains a tailored configuration considering the threat actor’s knowledge of the victim network.
Figure 1
The BlackCat configuration file contains:
- The extension appended to the encrypted files
- RSA public key that is used to encrypt the AES encryption key
- Ransom note name and content
- Stolen credentials specific to the victim’s environment
- Encryption cipher: AES/ChaCha20
- List of services and processes to be killed
- List of folders, files, and extensions to be skipped
Execution
As mentioned earlier, BlackCat is one of the first ransomware written in the Rust programming language. Its use of a modern language exemplifies a recent trend where threat actors switch to languages like Rust or Go for their payloads in their attempt to avoid detection by conventional security solutions.
The payload can be launched via dllhost.exe, which then be launched with the following commands below (Figure 2) via cmd.exe.
Figure 2
The ransomware binary itself requires an “access token” to the command line to launch the executable. These commands could vary, as the BlackCat payload allows affiliates to customize execution to the environment.
Privilege Escalation
The following privilege escalation capabilities are embedded within the ransomware:
- UAC bypass using CMSTP (Connection Manager Profile Installer) which is a Microsoft signed binary, to execute commands with elevated privileges via an elevated COM interface (cmstplua.dll).
Netwitness detection for UAC bypass using CMSTP
- CVE-2016-0099, a Secondary Logon Service exploit via CreateProcessWithLogonW() WinAPI for Privilege Escalation. In addition, privileges can be escalated using the ‘Masquerade_PEB’, previously released as a proof-of-concept script and used to give a PowerShell process the appearance of another process that in turn could allow elevated operations.
Hampering recovery and investigation efforts
BlackCat has numerous methods to make recovery efforts more difficult. The following are commands that might be launched by the payload, as well as their purposes:
- Modify boot loader to disable recovery
- bcdedit /set {default}
- bcdedit /set {default} recoveryenabled No
- Delete volume shadow copies and backups to prevent recovery
- vssadmin.exe Delete Shadows /all /quiet
- wmic.exe Shadowcopy Delete
- Clear Windows event logs to remove tracks
- cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl %1
- Modify StartUp folder in the registry for persistence:
- “\USER\<user>\Software\ Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders”
Kill targeted services and processes
BlackCat terminates the processes and/or services specified within the configuration file to minimize the number of locked (open) files as well as potentially disabling backup utilities and security software to evade detection. Ituses the TerminateProcess() API to stop Windows processes which can lock files for encryption.
This ransomware stops the following processes and services to bypass security controls to ensure they don’t lock files targeted for encryption:
Services:
backup, mepocs, memtas, msexchange, sql, svc$, veeam, vss
Processes:
agntsvc, dbeng50, dbsnmp, encsvc, excel, firefox, infopath, isqlplussvc, mydesktopqos, mspub, msaccess, mydesktopservice, notepad, ocomm, onenote, outlook, oracle, ocautoupds, ocssd, powerpnt, synctime, sql, steam, sqbcoreservice, tbirdconfig, thunderbird, thebat, visio, winword, wordpad, xfssvccon
Domain and device enumeration
The ransomware can determine the computer name of the given system, local drives on a device, and the AD domain name and username on a device. The malware can also identify whether a user has domain admin privileges, thus increasing its capability of ransoming more devices.
The following command gets the Universally Unique Identifier (UUID) of the target device:
- wmic csproduct get UUID
Propogation
BlackCat discovers all servers that are connected to a network. The process first broadcasts NetBIOS Name Service (NBNC) messages to check for these additional devices. The ransomware can replicate itself on the answering servers using the credentials specified within the configuration file via PsExec.
- psexec.exe -accepteula \\<TARGET_HOST> -u <USERNAME> -p <PASSWORD> -s -d -f -c <BLACKCAT_EXECUTABLE> [FLAGS] [OPTIONS] --access-token <ACCESS_TOKEN> [SUBCOMMAND]
It also modifies the registry to change MaxMpxCt settings; BlackCat does this to increase the number of outstanding requests allowed for example, SMB requests when distributing ransomware via its PsExec methodology.
- reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
Netwitness detection for registry modification for MaxMpxCt settings
BlackCat uses fsutil to allow remote-to-local as well remote-to-remote symbolic links; a symbolic link is a file-system object (for example, a file or folder) that points to another file system object. This scenario turns out typically disabled in Microsoft Windows as the functionality allows malware to follow shortcuts with remote paths by enabling Remote to Local and Remote to Remote symbolic links with the fsutil command. The configuration change would allow for malware to spread to other remote hosts more easily.
- fsutil behavior set SymlinkEvaluation R2L:1 (Allows local-to-remote symbolic links)
- fsutil behavior set SymlinkEvaluation R2R:1 (Allows remote-to-remote symbolic links)
Netwitness detection for Remote Symlinks enabled
Mounts network share and Network Discovery
The ransomware discovers Windows network shares and copies itself to those locations. It can then mount several shares and duplicates itself to the root of those drives. The net use command is utilized to connect to the local computer using different credentials stored in the BlackCat configuration.
It also uses the native address resolution protocol (ARP) command to gather the IP and MAC addresses from the ARP table (a list of hosts known to the victim host)
- arp -a
Encryption
The files can be encrypted using AES algorithm or ChaCha20, with the encryption key, a Base64-encoded RSA public key, contained in the configuration file. The file extension of the encrypted files is changed to the extension contained in the configuration file.
Ransom note
NetWitness Detections
To detect BlackCat ransomware activity, deploy the following endpoint apprules:
- UAC Bypass via COM Object
- Windows Remote Symlinks Enabled
- Modifies Registry to Increase Network Request Limit
Apart from the apprules mentioned earlier, the following default endpoint apprules were observed during testing:
- boc = ‘stops security service’
- boc= ‘enumerates system info’
- boc= ’disables startup repair‘
- boc= ’deletes shadow volume copies‘
- boc= ’enumerates arp table’
In addition to the existing apprules, these rules are available on RSA Community:
- [Community] Potential MS Exchange ProxyShell Attack
- [Community] Blackcat.yar
IOCs for Linux/VMware ESXi
The following legitimate, albeit suspicious, processes can be spawned by the Linux/VMware ESXi variant:
- esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | awk -F "\"*,\"*" '{system("esxcli vm process kill --type=force --world-id="$1)}'
- for i in `vim-cmd vmsvc/getallvms| awk '{print$1}'`;do vim-cmd vmsvc/snapshot.removeall $i & done
MITRE ATT&CK Techniques
T1059 : Command and Scripting Interpreter
T1047: Windows Management Instrumentation
T1106: Native API
T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
T1562.001: Disable or Modify Tools
T1027: Obfuscated Files or Information
T1070.004: File Deletion
T1082: System Information Discovery
T1560: Archive Collected Data
T1486: Data Encrypted for Impact
Conclusion
Many researchers consider BlackCat as one of the most sophisticated ransomware groups out there. BlackCat programs are feature-rich and offer flexible custom settings due to the use of various configuration data and command line arguments. Although BlackCat can vary with each threat group and their deployment methods, understanding a ransomware, its usual delivery methods, and the techniques used can be very beneficial for a SOC analyst, incident responder or threat hunter. NetWitness can aid in detecting the presence of BlackCat within your environment —so you can respond before this omnipotent malware causes major loss in the form of data, intellectual property, exfiltration, and/or financials.
References:
https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
https://www.varonis.com/blog/blackcat-ransomware
https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
Common-TTPs-of-the-modern-ransomware_low-res.pdf (kasperskycontenthub.com)
https://blog.group-ib.com/blackcat
