EXECUTIVE SUMMARY:

Last month, the ALPHV ransomware operation, known as BlackCat, got off of the ground. Experts state that it may be the most sophisticated ransomware of the year. BlackCat’s highly customizable components facilitate easy attacks on a wide range of corporate environments.

The executable for the ransomware is coded in Rust, an atypical choice of programming languages. However, Rust is increasing in popularity on account of its high performance and memory safety.

ALPHV BlackCat victims

Thus far, researchers report a handful of victims emerging from a variety of geographic locales. Investigations have revealed that the ransomware is being promoted on Russian-speaking hacking forums.

The malware acquired its name because of the favicon of a black cat used on every victim’s Tor payment portal.

ALPHV BlackCat operators

As with all Ransomware-as-a-Service operations, the ALPHV BlackCat operators invite affiliates to conduct corporate breaches and to encrypt devices.

In turn, affiliates receive revenue shares that correspond to the size of the victim’s ransomware payment. For ransomware payments totaling $1.5M or less, affiliates earn 80% of the payment. When affiliates haul in ransomware payments between $1.5M and $3M, the affiliates receive 85%. Affiliates receive as much as 90% of the total payment when bringing in more than $3M.

To illustrate just how much affiliates can earn via Ransomware-as-a-Service operations: In early 2021, a major financial firm paid a $40 million ransom to the hacking group known as Evil Corp. Within the aforementioned revenue model, affiliates earned $36 million.

Features of ALPHV BlackCat ransomware

The ALPHV BlackCat ransomware comes with an array of features. This contributes to the hype around the ransomware.

In terms of the technicalities, the ransomware is entirely command-line driven, human operated and highly configurable. ALPHV BlackCat ransomware can leverage divergent encryption routines, spread between computers, decimate virtual machines and ESXi VMs, and it can auto-wipe ESXi snapshots to prevent recovery.

Every ALPHV ransomware executable involves an JSON configuration, which permits customization of extensions, ransom notes, and more. The threat actor states that the ransomware may be configured to use four divergent encryption models.

The software appears to have been coded from scratch without the use of templates or previously leaked source codes belonging to other ransomware.

Expensive ransom payments

Since November, multiple victims of the ALPHV BlackCat ransomware have emerged. Victims hail from the USA, Australia, and India.

Associated ransom demands have ranged from $400,000 to $3 million. Hackers want the money in Bitcoin or Monero. However, victims electing to pay in Bitcoin see an additional 15% fee tacked on to the ransom.

In contrast with other ransomware gangs, the ALPHV ransomware operators do not threaten to wipe or publish data should a private group wish to work with a ransomware negotiation firm. Rather, they leverage their own ransomware “Intermediary” to complete corporate negotiations.

ALPHV operators are also known for use of a triple-extortion tactic. This involves stealing data prior to encrypting digital devices and threatening to leak the data if the ransom demands are not met. ALPHV also threaten to launch DDoS attacks on victims until payment is rendered.

ALPHV BlackCat’s power

As the BlackMatter and REvil ransomware operators fade into the past, due to pressure from law enforcement, ALPHV may attempt to steal the stage.

Lastly, to learn more about pressing issues in the cyber world, please join us at the premiere cyber security event of the year – CPX 360 2022. Register here.