Analysis
The advent of the Sphynx strain of the BlackCat ransomware demonstrates how cybercrime strategies are always evolving. Sphynx seeks to get past security precautions and accomplish its objectives by concentrating on speed and stealth. This updated version, which has trash code, encrypted text, and revised command line parameters, improves the group's evasion tactics. Sphynx also encrypts files, does network discovery tasks, drops a ransom letter, and has a loader for decrypting the ransomware payload. Despite efforts by law enforcement, the ongoing danger posed by BlackCat and its twofold extortion scheme, as well as the professionalisation of cybercrime motivated by monetary gain, underscore the ongoing difficulties that organisations confront.
Prevention
- Review user accounts for unauthorized additions.
- Back up and password protect data offline.
- Implement network segmentation.
- Maintain multiple secure data copies.
- Keep systems and software up to date.
- Use multifactor authentication.
- Regularly change and avoid reusing passwords.
- Disable unused remote access and monitor logs.
- Audit and limit administrative privileges.
- Install and update antivirus/anti-malware software
Detection
- Be on the lookout for odd communication patterns in network traffic, such as connections to servers utilised by well-known command-and-control servers for ransomware.
- Use endpoint security tools or EDR tools to monitor endpoint behaviour for signs of file encryption activity or suspicious behaviour.
- Use anomaly detection techniques to spot unusual file access patterns or unlawful encryption activities.
- Users should be informed about ransomware symptoms and urged to report any odd actions or communications.
- Use file integrity monitoring tools to check for unauthorised modifications to critical system files.
- Follow security updates and alerts to be aware of any new ransomware threats.
- Run regular checks on machines for known ransomware signs using antivirus and anti-malware software. Then, review the logs for any peculiar or suspicious behaviour after turning on logging.
- Run frequent penetration testing and vulnerability assessments to identify and patch any security holes that ransomware might be able to exploit.
Indicators of Compromise (IOCs)
PowerShell Scripts:
Filename: amd - Copy.ps1, MD5 Hash: 861738dd15eb7fb50568f0e39a69e107
Filename: ipscan.ps1, MD5 Hash: 9f60dd752e7692a2f5c758de4eab3e6f
Filename: Run1.ps1, MD5 Hash: 09bc47d7bc5e40d40d9729cec5e39d73
Additional PowerShell Filenames:
[###].ps1, CME.ps1, [#].ps1, Run1.ps1, mim.ps1, [##].ps1, psexec.ps1, Systems.ps1, System.ps1, etc..,
Batch Scripts:
Filename: CheckVuln.bat, MD5 Hash: f5ef5142f044b94ac5010fd883c09aa7
Filename: Create-share-RunAsAdmin.bat, MD5 Hash: 84e3b5fe3863d25bb72e25b10760e861
Filename: LPE-Exploit-RunAsUser.bat, MD5 Hash: 9f2309285e8a8471fce7330fcade8619
Filename: RCE-Exploit-RunAsUser.bat, MD5 Hash: 6c6c46bdac6713c94debbd454d34efd9
Filename: est.bat, MD5 Hash: e7ee8ea6fb7530d1d904cdb2d9745899
Filename: runav.bat, MD5 Hash: 815bb1b0c5f0f35f064c55a1b640fca5
Executables and DLLs:
Filename: http_x64.exe, MD5 Hash: 6c2874169fdfb30846fe7ffe34635bdb
Filename: spider.dll, MD5 Hash: 20855475d20d252dda21287264a6d860
Filename: spider_32.dll, MD5 Hash: 82db4c04f5dcda3bfcd75357adf98228
Filename: powershell.dll, MD5 Hash: fcf3a6eeb9f836315954dae03459716d
Filename: rpcdump.exe, MD5 Hash: 91625f7f5d590534949ebe08cc728380
Additional Observed Filenames:
test.exe, xxx.exe, Mim.exe, xxw.exe, crackmapexec.exe, Services.exe, plink.exe, Systems.exe, PsExec64.exe, etc..,
BlackCat Ransomware SHA256 Hashes:
731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161
f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb
731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161
80dd44226f60ba5403745ba9d18490eb8ca12dbc9be0a317dd2b692ec041da28
C2 IPs:
89.44.9.243 142.234.157.246 45.134.20.66 185.220.102.253 37.120.238.58 152.89.247.207 198.144.121.93 89.163.252.230 45.153.160.140 23.106.223.97 139.60.161.161 146.0.77.15 94.232.41.155
References
https://thehackernews.com/2023/06/improved-blackcat-ransomware-strikes.html
www.ic3.gov
www.cisa.gov