A relatively new ransomware-as-a-service dubbed “BlackCat” (also known as ALPHV) has been actively recruiting affiliates from other ransomware groups to target organizations around the globe.
Moreover, the group boasts up to a 90% affiliate pay-outs and uses a Rust-based ransomware executable that is “fast, cross-platform, heavily customized per victim.”
According to the Varonis report, other BlackCat RaaS capabilities include:
- AES encryption by default.
- Built-in privilege escalation (UAC bypass, Masquerade_PEB, CVE-2016-0099).
- Can propagate to remote hosts via PsExec.
- Deletes shadow copies using VSS Admin.
- Stops VMware ESXi virtual machines and deletes snapshot.
Additionally, the actors also employ a “triple extortion” tactic if their ransom demands are not met.
“Building upon the common double-extortion tactic in which sensitive data is stolen prior to encryption and the victim threatened with its public release, triple-extortion adds the threat of a distributed denial-of-service (DDoS) attack if the ransomware group’s demands aren’t met,” Varonis wrote in the blog post.
Brian Krebs also wrote in a blog post about who could be the developers behind the ALPHV/BlackCat Ransomware strain.
Moreover, ZDNet also reported that BlackCat was allegedly behind ransomware attacks against two German oil companies that affected hundreds of gas stations across northern Germany.
- BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities
- Iowa-based farm service provider NEW Cooperative hit by BlackMatter ransomware attack
- CISA and FBI alert: DarkSide ransomware used in Colonial Pipeline cyberattack (and mitigation guidance) – updated
- Russian authorities round up 14 REvil ransomware gang members