Blackcat Ransomware

History of Blackcat

BlackCat, also known as Noberus or ALPHV ransomware, has been developed by a Russian cyber-criminal gang and has been available since at least November, 2021. It offers ransomware-as-a-service (RaaS) and collects a percentage of between 10% and 20% - considered a lower amount than many others. It has been developed to be able to target Linux and VMware platforms as well as Windows

Selected Attacks

MGM Resorts and Caesars Entertainment were attacked by Scattered Spider, an ALPHV affiliate. MGM decided to cease operations for a period rather than payout resulting in a significant hit to the bottom line.

It was reported in May 2024. that Hong Kong’s Consumer Council had been the target of a ransomware attack by ALPHV.

After the Change Healthcare ransomware attack in February 2024, which netted the attackers $10 million, the gang claimed that they will cease operations. However many experts think this is unlikely.

Technical Details

In our tests, Blackcat parameters required an access-token. The value appears to be unimportant so a command such as ‘blackcat –ui –access-token 1234567890 -p c:\infolder’ starts the encryption.

Blackcat was written in the Rust programming language and has been ported to other platforms as well as Windows. The ransomware writers were an early adopter of iterative encryption where only portions of larger files are encrypted for speed. These are parameterised in Blackcat allowing for 6 possible variants for file encrypted (Encrypt full file, encrypt the first N bytes, encrypt every N bytes of the file with a step of Y bytes, encrypt the first N bytes of the file then divide the rest of the file into equal-sized block and encrypts P% of the bytes of these blocks, a variant on the previous one allowing for user selection of the number of blocks, and automatic where the ransomware parametrises the mode based on the filename extension and file size)

Encryption mode Description ————— ———– Full Encrypt all file content. HeadOnly [N] Encrypt the first N bytes of the file. DotPattern [N,Y] Encrypt every N bytes of the file with a step of Y bytes. SmartPattern [N,P] Encrypt the first N bytes of the file. BlackCat divides the rest of the file into equal-sized blocks, such that each block is 10% of the rest of the file in size. BlackCat encrypts P% of the bytes of each block. AdvancedSmartPattern [N,P,B] Encrypt the first N bytes of the file. BlackCat divides the rest of the file into B equal-sized blocks. BlackCat encrypts P% of the bytes of each block. Auto Combinatory file encryption mode. Encrypt the file’s content according to one of the file encryption modes Full, DotPattern [N,Y], and AdvancedSmartPattern [N,P,B]. BlackCat selects and parametrizes a file encryption mode based on the filename extension and the file size.

A typical Blackcat ransom note which is entitled RECOVER_extension_FILES.txt is: What happened?

Important files on your network was ENCRYPTED and now they have “» What happened?

Important files on your network was ENCRYPTED and now they have “extension” extension. In order to recover your files you need to follow instructions below.

Sensitive Data

Sensitive data on your system was DOWNLOADED. If you DON’T WANT your sensitive data to be PUBLISHED you have to act quickly.

Data includes:

• Employees personal data, CVs, DL, SSN.
• Complete network map including credentials for local and remote services.
• Private financial information including: clients data, bills, budgets, annual reports, bank statements.
• Manufacturing documents including: datagrams, schemas, drawings in solidworks format
• And more…

CAUTION

DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.” extension. In order to recover your files you need to follow instructions below.

Parameters that can be used to execute Blackcat on the command line are: c:\Users\user\Documents\Blackcat>blackcat –help

USAGE: [OPTIONS] [SUBCOMMAND]

OPTIONS: –access-token Access Token --bypass ... --child Run as child process --drag-and-drop Invoked with drag and drop --drop-drag-and-drop-target Drop drag and drop target batch file --extra-verbose Log more to console -h, --help Print help information --log-file Enable logging to specified file --no-net Do not discover network shares on Windows --no-prop Do not self propagate(worm) on Windows --no-prop-servers ... Do not propagate to defined servers --no-vm-kill Do not stop VMs on ESXi --no-vm-kill-names ... Do not stop defined VMs on ESXi --no-vm-snapshot-kill Do not wipe VMs snapshots on ESXi --no-wall Do not update desktop wallpaper on Windows -p, --paths ... Only process files inside defined paths --propagated Run as propagated process --ui Show user interface -v, --verbose Log to console

Recovery

Memcrypt Detect identifies live ransomware attacks and uses file and memory forensics to recover from forensic attacks. We recovered data using our product against a wide range of ransomware families, including Blackcat, that use standard and non-standard encryption algorithms. Please contact us on sales@memcrypt.io to see how we can assist you in recovering from ransomware.

References

The Anatomy of a Blackcat attack https://www.sygnia.co/blog/blackcat-ransomware/ ALPHV-BlackCat ransomware group goes dark https://blog.barracuda.com/2024/03/06/alphv-blackcat-ransomware-goes-dark

DISCLAIMER

This document is not a substitute for obtaining security and legal advice. All reasonable measures should be taken to lower the risk of exploitable potential weaknesses. This report does not constitute a guarantee or assurance of compliance. MemCrypt is not ultimately responsible for assessing and meeting compliance responsibilities.