The Federal Bureau of Investigation (FBI) has released new information on BlackCat (also known as ALPHV) ransomware as a service (RaaS), that has compromised at least 60 entities worldwide as of March 2022.
The FBI also shared BlackCat is the first ransomware group that has used RUST, a secure programming language designed for performance and reliable concurrent processing.
“BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations,” the FBI stated in the flash alert.
According to the report, BlackCat/ALPHV ransomware gains access to the victim’s system via previously stolen user credentials. The malware then abuses that access to compromise Active Directory user and administrator accounts, then pivots to leverage built-in Windows tools to deploy ransomware.
“The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial deployment of the malware leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise,” the FBI added.
In early February, Varonis Threat Labs discovered the RaaS service has been on the attack since late 2021 and has been recruiting other ransomware groups, such as ex-REvil, BlackMatter, and DarkSide,
Moreover, the group boasted up to a 90% affiliate pay-outs and used a Rust-based ransomware executable that is “fast, cross-platform, heavily customized per victim.”
According to the Varonis report, other BlackCat RaaS capabilities include:
- AES encryption by default.
- Built-in privilege escalation (UAC bypass, Masquerade_PEB, CVE-2016-0099).
- Can propagate to remote hosts via PsExec.
- Deletes shadow copies using VSS Admin.
- Stops VMware ESXi virtual machines and deletes snapshot.
The FBI further provided details on BlackCat/ALPHV indicators of compromise (IoC) and recommended mitigations.