EXECUTIVE SUMMARY:

The BlackCat ransomware, also known as ALPHV, emerged in November of last year. By December, the BlackCat operators had struck at least 10 different organizations, and that number has since doubled. While the number of victims sounds small, the attacks have proved intense and difficult to detect. Moreover, a large number of victims may have paid ransoms to BlackCat hackers in order to hide incidents and avoid public exposure.

Who’s been hit?

The majority of the victims thus far are US-based (41%), while the remainder are scattered across Europe, the Philippines and elsewhere. BlackCat has been observed targeting both Windows and Linux systems.

Why BlackCat matters

The BlackCat ransomware operators have quickly become one of the top-tier ransomware groups in existence. For example, the global cyber security and risk mitigation organization known as NCC Group considers BlackCat to be a candidate for the “most advanced ransomware it has ever identified.”

About the adversaries

The operators behind the BlackCat ransomware offer their affiliates between 80% and 90% of ransom payments made by victims. In other words, the scheme is lucrative for affiliates. In addition, the BlackCat operators have solicited affiliates by posting ads on forums, like the Ransomware Anonymous Market Place (RAMP). An uptick in affiliate interest is expected to result in a barrage of new ransomware infections.

Technical details

Cyber security researchers report that BlackCat authors wrote the program in the Rust programming language. Rust is fairly uncommon, as far as programming languages go, but may experience a resurgence among code writers. The language is highly customizable, which means that ransomware operators can easily turn-on-a-dime and individualize attacks. And, security researchers may be less adept in identifying coding weaknesses within the Rust code.

Sophisticated features

But what really separates BlackCat from similar ransomware types is the use of the private access-key token. Most ransomware groups include a direct link and the keys are embedded in samples, which makes it relatively easy to investigate ransomware events. BlackCat ransomware samples do not include such keys. Rather, the keys must be submitted by the operator in order for external entities to identify victims. In short, the craftsmanship of the ransomware itself renders it difficult for experts to distinguish and detect.

Rust, BlackCat and REvil

Some researchers contend that the ALPHV/BlackCat author may have previously worked with the infamous REvil ransomware cartel. A confidential source who occasionally fields questions on a cyber crime forum explained that the coder behind BlackCat is known by the handle “Binrs.” The handle has been spotted on several Russian-language websites. On one such site, Binrs is described as someone with six years of coding experience.

In conclusion

Previously, Lockbit, Conti and Pysa were top ransomware operators in the space, but trends show that BlackCat could overtake them in popularity among hackers and in worldwide distribution.

To ensure that your organization has adequate security in place and an advanced incident response plan, take action now. Learn more about ALPHV BlackCat ransomware through CyberTalk.org’s past coverage. For more information about network security, click here.