The advent of the Sphynx strain of the BlackCat ransomware demonstrates how cybercrime strategies are always evolving. Sphynx seeks to get past security precautions and accomplish its objectives by concentrating on speed and stealth. This updated version, which has trash code, encrypted text, and revised command line parameters, improves the group's evasion tactics. Sphynx also encrypts files, does network discovery tasks, drops a ransom letter, and has a loader for decrypting the ransomware payload. Despite efforts by law enforcement, the ongoing danger posed by BlackCat and its twofold extortion scheme, as well as the professionalisation of cybercrime motivated by monetary gain, underscore the ongoing difficulties that organisations confront.


  • Review user accounts for unauthorized additions.
  • Back up and password protect data offline.
  • Implement network segmentation.
  • Maintain multiple secure data copies.
  • Keep systems and software up to date.
  • Use multifactor authentication.
  • Regularly change and avoid reusing passwords.
  • Disable unused remote access and monitor logs.
  • Audit and limit administrative privileges.
  • Install and update antivirus/anti-malware software          


  • Be on the lookout for odd communication patterns in network traffic, such as connections to servers utilised by well-known command-and-control servers for ransomware.
  • Use endpoint security tools or EDR tools to monitor endpoint behaviour for signs of file encryption activity or suspicious behaviour.
  • Use anomaly detection techniques to spot unusual file access patterns or unlawful encryption activities.
  • Users should be informed about ransomware symptoms and urged to report any odd actions or communications.
  • Use file integrity monitoring tools to check for unauthorised modifications to critical system files.
  • Follow security updates and alerts to be aware of any new ransomware threats.
  • Run regular checks on machines for known ransomware signs using antivirus and anti-malware software. Then, review the logs for any peculiar or suspicious behaviour after turning on logging.
  • Run frequent penetration testing and vulnerability assessments to identify and patch any security holes that ransomware might be able to exploit.

Indicators of Compromise (IOCs)

PowerShell Scripts:

Filename: amd - Copy.ps1, MD5 Hash: 861738dd15eb7fb50568f0e39a69e107

Filename: ipscan.ps1, MD5 Hash: 9f60dd752e7692a2f5c758de4eab3e6f

Filename: Run1.ps1, MD5 Hash: 09bc47d7bc5e40d40d9729cec5e39d73

Additional PowerShell Filenames:

[###].ps1, CME.ps1,  [#].ps1, Run1.ps1, mim.ps1, [##].ps1, psexec.ps1, Systems.ps1, System.ps1, etc..,

Batch Scripts:

Filename: CheckVuln.bat, MD5 Hash: f5ef5142f044b94ac5010fd883c09aa7

Filename: Create-share-RunAsAdmin.bat, MD5 Hash: 84e3b5fe3863d25bb72e25b10760e861

Filename: LPE-Exploit-RunAsUser.bat, MD5 Hash: 9f2309285e8a8471fce7330fcade8619

Filename: RCE-Exploit-RunAsUser.bat, MD5 Hash: 6c6c46bdac6713c94debbd454d34efd9

Filename: est.bat, MD5 Hash: e7ee8ea6fb7530d1d904cdb2d9745899

Filename: runav.bat, MD5 Hash: 815bb1b0c5f0f35f064c55a1b640fca5

Executables and DLLs:

Filename: http_x64.exe, MD5 Hash: 6c2874169fdfb30846fe7ffe34635bdb

Filename: spider.dll, MD5 Hash: 20855475d20d252dda21287264a6d860

Filename: spider_32.dll, MD5 Hash: 82db4c04f5dcda3bfcd75357adf98228

Filename: powershell.dll, MD5 Hash: fcf3a6eeb9f836315954dae03459716d

Filename: rpcdump.exe, MD5 Hash: 91625f7f5d590534949ebe08cc728380

Additional Observed Filenames:

test.exe, xxx.exe, Mim.exe, xxw.exe, crackmapexec.exe, Services.exe, plink.exe, Systems.exe, PsExec64.exe, etc..,

BlackCat Ransomware SHA256 Hashes:





C2 IPs:




Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at