Analysis

In less than a month, the BlackCat group has purportedly compromised more than a dozen victims, named those victims on its blog, and broken into the top 10 threats as measured by victim count, according to recent analysis of the malware by researchers at Palo Alto Networks. The ransomware program seems well-designed and is written in Rust, an efficient programming language that has gained popularity over the past decade.

The ransomware platform makes extensive use of configuration files to allow the operator to customize the attack to certain victims, determine what processes to shut down, and even use a customized list of credentials to move laterally within a company.

“In some cases, BlackCat operators use the chat to threaten the victim, claiming they will perform a DDoS attack on the victims’ infrastructure if the ransom is not paid,” the analysis stated. “When it appears in addition to the use of a leak site, this practice is known as triple extortion, a tactic that was observed being used by groups like Avaddon and Suncrypt in the past.”

Effected Locations

  • Germany
  • France,
  • Netherlands
  • Philippines
  • Spain

Mitigation

  1. Quarantining suspicious emails
  2. Get your password security under control (Eg.2FA)
  3. Conduct employee security training
  4. Try to avoid installation of third-party software’s.
  5. Keep software patched and updated.
  6. Perform regular system backups

IOC

FileHash-SHA256 [cefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae]
FileHash-SHA256 [c8b3b67ea4d7625f8b37ba59eed5c9406b3ef04b7a19b97e5dd5dab1bd59f283]
FileHash-SHA256 [c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40]
FileHash-SHA256 [bd337d4e83ab1c2cacb43e4569f977d188f1bb7c7a077026304bf186d49d4117]
FileHash-SHA256 [7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e]
FileHash-SHA256 [7b2449bb8be1b37a9d580c2592a67a759a3116fe640041d0f36dc93ca3db4487]
FileHash-SHA256 [74464797c5d2df81db2e06f86497b2127fda6766956f1b67b0dcea9570d8b683]
FileHash-SHA256 [731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161]

 

Reference

  1. https://www.darkreading.com/threat-intelligence/aggressive-blackcat-ransomware-on-the-rise
  2. https://otx.alienvault.com/pulse/61ea997d233aa9f7a13e2c4a