Our colleagues in the FBI have today issued a warning on BlackCat ransomware. As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, which is considered to be a more secure programming language.
BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.
We do not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also encourage adversaries to target additional organisations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, we understand that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers.
Regardless of whether you or your organisation pay the ransom or not, we would strongly advise you to report it to Action Fraud. You can do so online at-
Via phone on 0300 123 2040
And via textphone on 0300 123 2050
So, what do we know about BlackCat?
How does BlackCat gain access to systems?
BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim system. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial deployment of the malware leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise.
BlackCat/ALPHV steals victim data prior to the execution of the ransomware, including from cloud providers where company or client data was stored.
The actors leverage Windows scripting to deploy ransomware and to compromise additional hosts. For example, the following batch and PowerShell scripts were observed:
start.bat - launches the ransomware executable with required arguments
est.bat - copies the ransomware to other locations
drag-and-drop-target.bat - launches the ransomware executable for the MySQL Server
run.bat - executes a callout command to an external server using SSH - file names may change depending on the company and systems affected
Runs1.ps1 – PowerShell script to disable McAfee
Indicators of Compromise
The following are characteristics of compromise by BlackCat/ALPHV, as of mid-February 2022:
Use multifactor authentication where possible.
Consider using zero-trust architecture.
Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system defined or recognized scheduled tasks for unrecognized “actions” (for example: review the steps each scheduled task is expected to perform).
Review antivirus logs for indications they were unexpectedly turned off.
Implement network segmentation.
Require administrator credentials to install software.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
Implement the shortest acceptable timeframe for password changes for administrator accounts.
Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
Install and regularly update antivirus and anti-malware software on all hosts.