BlackCat: a new ransomware-as-a-service threat

A relatively new ransomware-as-a-service dubbed “BlackCat” (also known as ALPHV) has been actively recruiting affiliates from other ransomware groups to target organizations around the globe.

Varonis Threat Labs discovered the RaaS service has been on the attack since late 2021 and has been recruiting other ransomware groups, such as ex-REvil, BlackMatter, and DarkSide,

Moreover, the group boasts up to a 90% affiliate pay-outs and uses a Rust-based ransomware executable that is “fast, cross-platform, heavily customized per victim.”

According to the Varonis report, other BlackCat RaaS capabilities include:

  • AES encryption by default.
  • Built-in privilege escalation (UAC bypass, Masquerade_PEB, CVE-2016-0099).
  • Can propagate to remote hosts via PsExec.
  • Deletes shadow copies using VSS Admin.
  • Stops VMware ESXi virtual machines and deletes snapshot.

Additionally, the actors also employ a “triple extortion” tactic if their ransom demands are not met.

“Building upon the common double-extortion tactic in which sensitive data is stolen prior to encryption and the victim threatened with its public release, triple-extortion adds the threat of a distributed denial-of-service (DDoS) attack if the ransomware group’s demands aren’t met,” Varonis wrote in the blog post.

Brian Krebs also wrote in a blog post about who could be the developers behind the ALPHV/BlackCat Ransomware strain.

Moreover, ZDNet also reported that BlackCat was allegedly behind ransomware attacks against two German oil companies that affected hundreds of gas stations across northern Germany.