blackcat-ransomware

Analysis

The advent of the Sphynx strain of the BlackCat ransomware demonstrates how cybercrime strategies are always evolving. Sphynx seeks to get past security precautions and accomplish its objectives by concentrating on speed and stealth. This updated version, which has trash code, encrypted text, and revised command line parameters, improves the group's evasion tactics. Sphynx also encrypts files, does network discovery tasks, drops a ransom letter, and has a loader for decrypting the ransomware payload. Despite efforts by law enforcement, the ongoing danger posed by BlackCat and its twofold extortion scheme, as well as the professionalisation of cybercrime motivated by monetary gain, underscore the ongoing difficulties that organisations confront.

Prevention

  • Review user accounts for unauthorized additions.
  • Back up and password protect data offline.
  • Implement network segmentation.
  • Maintain multiple secure data copies.
  • Keep systems and software up to date.
  • Use multifactor authentication.
  • Regularly change and avoid reusing passwords.
  • Disable unused remote access and monitor logs.
  • Audit and limit administrative privileges.
  • Install and update antivirus/anti-malware software          

Detection

  • Be on the lookout for odd communication patterns in network traffic, such as connections to servers utilised by well-known command-and-control servers for ransomware.
  • Use endpoint security tools or EDR tools to monitor endpoint behaviour for signs of file encryption activity or suspicious behaviour.
  • Use anomaly detection techniques to spot unusual file access patterns or unlawful encryption activities.
  • Users should be informed about ransomware symptoms and urged to report any odd actions or communications.
  • Use file integrity monitoring tools to check for unauthorised modifications to critical system files.
  • Follow security updates and alerts to be aware of any new ransomware threats.
  • Run regular checks on machines for known ransomware signs using antivirus and anti-malware software. Then, review the logs for any peculiar or suspicious behaviour after turning on logging.
  • Run frequent penetration testing and vulnerability assessments to identify and patch any security holes that ransomware might be able to exploit.

Indicators of Compromise (IOCs)

PowerShell Scripts:

Filename: amd - Copy.ps1, MD5 Hash: 861738dd15eb7fb50568f0e39a69e107

Filename: ipscan.ps1, MD5 Hash: 9f60dd752e7692a2f5c758de4eab3e6f

Filename: Run1.ps1, MD5 Hash: 09bc47d7bc5e40d40d9729cec5e39d73

Additional PowerShell Filenames:

[###].ps1, CME.ps1,  [#].ps1, Run1.ps1, mim.ps1, [##].ps1, psexec.ps1, Systems.ps1, System.ps1, etc..,

Batch Scripts:

Filename: CheckVuln.bat, MD5 Hash: f5ef5142f044b94ac5010fd883c09aa7

Filename: Create-share-RunAsAdmin.bat, MD5 Hash: 84e3b5fe3863d25bb72e25b10760e861

Filename: LPE-Exploit-RunAsUser.bat, MD5 Hash: 9f2309285e8a8471fce7330fcade8619

Filename: RCE-Exploit-RunAsUser.bat, MD5 Hash: 6c6c46bdac6713c94debbd454d34efd9

Filename: est.bat, MD5 Hash: e7ee8ea6fb7530d1d904cdb2d9745899

Filename: runav.bat, MD5 Hash: 815bb1b0c5f0f35f064c55a1b640fca5

Executables and DLLs:

Filename: http_x64.exe, MD5 Hash: 6c2874169fdfb30846fe7ffe34635bdb

Filename: spider.dll, MD5 Hash: 20855475d20d252dda21287264a6d860

Filename: spider_32.dll, MD5 Hash: 82db4c04f5dcda3bfcd75357adf98228

Filename: powershell.dll, MD5 Hash: fcf3a6eeb9f836315954dae03459716d

Filename: rpcdump.exe, MD5 Hash: 91625f7f5d590534949ebe08cc728380

Additional Observed Filenames:

test.exe, xxx.exe, Mim.exe, xxw.exe, crackmapexec.exe, Services.exe, plink.exe, Systems.exe, PsExec64.exe, etc..,

BlackCat Ransomware SHA256 Hashes:

731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161

f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb

731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161

80dd44226f60ba5403745ba9d18490eb8ca12dbc9be0a317dd2b692ec041da28

C2 IPs:

89.44.9.243    142.234.157.246    45.134.20.66  185.220.102.253    37.120.238.58    152.89.247.207     198.144.121.93    89.163.252.230    45.153.160.140   23.106.223.97    139.60.161.161   146.0.77.15    94.232.41.155

References

https://thehackernews.com/2023/06/improved-blackcat-ransomware-strikes.html 

www.ic3.gov

www.cisa.gov

 

 

# Managed Security Services

Recent Threat Bulletin

A report on Jenkins CVE-2024-23897 vulnerability
Ivanti Zero-Day Vulnerabilities: Connect Secure and IPS
Unmasking Androxgh0st: A deep dive to safeguard your network

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.

logo-img

Positka specializes in high-end technology solutions to help businesses improve their IT infrastructure with advanced Security Protocols, excellence in Analytics, Streamlined IT Operations, & around-the-clock Managed services.

Quick Links

Services

Copyright Positka © . All Rights Reserved.