{
	"id": "53728b8a-a7b1-4373-8ca3-636acc8c1243",
	"created_at": "2026-04-06T00:21:01.442071Z",
	"updated_at": "2026-04-10T13:12:39.354338Z",
	"deleted_at": null,
	"sha1_hash": "10ab57ac5bb17f73d29bf6aba739d80397a78a00",
	"title": "A Bad Luck BlackCat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 501505,
	"plain_text": "A Bad Luck BlackCat\r\nBy GReAT\r\nPublished: 2022-04-07 · Archived: 2026-04-05 12:38:44 UTC\r\nIn early December 2021, a new ransomware actor started advertising its services on a Russian underground forum.\r\nThey presented themselves as ALPHV, a new generation Ransomware-as-a-Service (RaaS) group. Shortly\r\nafterwards, they dialed up their activity, infecting numerous corporate victims around the world. The group is also\r\nknown as BlackCat.\r\nOne of the biggest differences from other ransomware actors is that BlackCat malware is written in Rust, which is\r\nunusual for malware developers. Their infrastructure websites are also developed differently from other\r\nransomware groups. Due to Rust’s advanced cross-compilation capabilities, both Windows and Linux samples\r\nappear in the wild. In other words, BlackCat has introduced incremental advances and a shift in technologies to\r\naddress the challenges of ransomware development.\r\nThe actor portrays itself as a successor to notorious ransomware groups like BlackMatter and REvil. The\r\ncybercriminals claim they  have addressed all the mistakes and problems in ransomware development and created\r\nthe perfect product in terms of coding and infrastructure. However, some researchers see the group not only as the\r\nsuccessors to the BlackMatter and REvil groups, but as a complete rebranding. Our telemetry suggests that at least\r\nsome members of the new BlackCat group have links to the BlackMatter group, because they modified and reused\r\na custom exfiltration tool we call Fendr and which has only been observed in BlackMatter activity.\r\nThis use of a modified Fendr, also known as ExMatter, represents a new data point connecting BlackCat with past\r\nBlackMatter activity. The group attempted to deploy the malware extensively within organizations in December\r\n2021 and January 2022. BlackMatter prioritized collection of sensitive information with Fendr to successfully\r\nsupport their scheme of double coercion. In addition, the modification of this reused tool demonstrates a more\r\nsophisticated planning and development regimen for adapting requirements to target environments, characteristic\r\nof a maturing criminal enterprise.\r\nTwo incidents of special interest\r\nTwo recent BlackCat incidents stand out as particularly interesting. One demonstrates the risk presented by shared\r\ncloud hosting resources, and the other demonstrates an agile approach to customized malware re-use across\r\nBlackMatter and BlackCat activity.\r\nIn the first case, it appears the ransomware group penetrated a vulnerable ERP provider in the Middle East hosting\r\nmultiple sites. The attackers delivered two different executables simultaneously to the same physical server,\r\ntargeting two different organizations virtually hosted there. The initial access was mistaken by the attackers for\r\ntwo different physical systems and drives to infect and encrypt. The kill chain was triggered prior to the “pre-encryption” activity, but the real point of interest here lies in the shared vulnerabilities and the demonstrable risk\r\nof shared assets across cloud resources. At the same time, the group also delivered a Mimikatz batch file along\r\nhttps://securelist.com/a-bad-luck-blackcat/106254/\r\nPage 1 of 8\n\nwith executables and Nirsoft network password recovery utilities. In a similar incident dating back to 2019, REvil,\r\na predecessor of BlackMatter, appears to have penetrated a cloud service supporting a large number of dental\r\noffices in the US. Perhaps this same affiliate has reverted to some old tactics.\r\nThe second case involves an oil, gas, mining and construction company in South America. This related incident\r\nfurther connects BlackMatter ransomware activity with BlackCat. Not only did the affiliate behind this\r\nransomware incident attempt to deliver BlackCat ransomware within the target network, but  approximately 1\r\nhour 40 minutes before its delivery they installed a modified custom exfiltration utility that we call Fendr. Also\r\nknown as ExMatter, this utility had previously been used exclusively in BlackMatter ransomware activity.\r\nHere, we can see that the BlackCat group increased the number of file extensions for automatic collection and\r\nexfiltration by the tool:\r\nFendr file extensions (17146b91dfe7f3760107f8bc35f4fd71)\r\n.doc .docx .xls .xlsx .xlsm .pdf\r\n.msg .ppt .pptx .sda .sdm .sdw\r\n.zip .json .config .ts .cs .sqlite\r\n.aspx .pst .rdp .accdb .catpart .catproduct\r\n.catdrawing .3ds .dwt .dxf .csv\r\nThese additional file extensions are used in industrial design applications, like CAD drawings and some databases,\r\nas well as RDP configuration settings, making the tool more customized towards the industrial environments that\r\nwe see being targeted by this group. And, if we believe the PE header timestamp, the group compiled this Fendr\r\nmodification just a few hours before its initial use. One of the organizations targeted with the Fendr exfiltration\r\ntool has branches all over the world, resulting in a surprising mix of locations. Not all of the systems received a\r\nransomware executable.\r\nTechnical details\r\nMD5 B6B9D449C9416ABF96D21B356A41A28E\r\nSHA1 38fa2979382615bbee32d1f58295447c33ca4316\r\nSHA256 be8c5d07ab6e39db28c40db20a32f47a97b7ec9f26c9003f9101a154a5a98486\r\nCompiler Rust\r\nFilesize 2.94 MB\r\nThe analyzed BlackCat ransomware file “\u003cxxx\u003e_alpha_x86_32_windows_encrypt_app.exe” is a 32-bit Windows\r\nexecutable file that was coded in Rust. The resulting Rust compiled binaries use the Rust standard library with a\r\nlot of safety checks, memory allocations, string processing, and other operations. They also include various\r\nhttps://securelist.com/a-bad-luck-blackcat/106254/\r\nPage 2 of 8\n\nexternal crates with libraries for required functionality, like Base64, AES encryption, etc. This particular language,\r\nand its compilation overhead, makes disassembly analysis more complicated. However, with the proper approach\r\nand Rust STD function signatures applied in IDA (or your disassembler of choice, for example Ghidra), it’s\r\npossible to understand the full malware capabilities with static analysis. Additional Rust library usage can be\r\nobtained from strings in clear form as no obfuscation is whatsoever used by the malware:\r\nExternal cargo is used in malware\r\nRust is a cross-compilation language, so a number of BlackCat Linux samples quickly appeared in the wild\r\nshortly after their Windows counterparts.\r\nThis BlackCat sample is a command line application. After execution, it checks the command line arguments\r\nprovided:\r\nhttps://securelist.com/a-bad-luck-blackcat/106254/\r\nPage 3 of 8\n\nCommand line arguments for malware\r\nBlackCat is an affiliate actor. This means it provides infrastructure, malware samples, ransom negotiations, and\r\nprobably cash-out. Anyone who already has access to compromised environments can use BlackCat’s samples to\r\ninfect a target. And a little help with ransomware execution is likely to come in handy.\r\nThe command line arguments are pretty self-explanatory. Some are related to VM’s, such as wiping or not wiping\r\nVM snapshots or stopping VM on ESXi. Also, it’s possible to select specific file folders to process or execute\r\nmalware as a child process.\r\nShortly after execution, the malware gets the “MachineGuid” from the corresponding Windows registry key:\r\nObtaining machine GUID\r\nThis GUID will be used later in the encryption key generation process.\r\nThe malware then gets a unique machine identifier (UUID) using a WMIC query executed as a separate command\r\nby creating a new cmd.exe process:\r\nhttps://securelist.com/a-bad-luck-blackcat/106254/\r\nPage 4 of 8\n\nObtaining UUID\r\nThis UUID is used together with the “–access-token” command-line argument to generate a unique\r\nACCESS_KEY for victim identification.\r\nBlackCat ransomware uses Windows named pipes for inter-process communication. For example, data returned\r\nby the cmd.exe process will be written into named pipes and later processed by malware:\r\nPipe creation\r\nThe names of the pipes are not unique and are hard-coded into malicious samples.\r\nThe malware checks which version of the Windows operating system it’s being executed under. That is done using\r\nthe fairly standard technique of getting this information from the Process Environment Block structure:\r\nObtaining OS version\r\nhttps://securelist.com/a-bad-luck-blackcat/106254/\r\nPage 5 of 8\n\nThe operating system version is required to implement a proper Privilege Escalation technique such as:\r\nSimple process token impersonation\r\nCOM elevation moniker UAC Bypass\r\nCOM object initialization\r\nThe malware uses a previously known technique, used by LockBit ransomware, for example, to exploit an\r\nundocumented COM object (3E5FC7F9-9A51-4367-9063-A120244FBEC7). It is vulnerable to the CMSTPLUA\r\nUAC bypass.\r\nUsing “cmd.exe” malware executes a special command:\r\nfsutil behavior set SymlinkEvaluation R2L:1\r\nThis command adjusts the behavior of the Windows file system symlinks. It allows the malware to follow\r\nshortcuts with remote paths.\r\nAnother command executed as part of pre-encryption is:\r\nvssadmin.exe delete shadows /all /quiet\r\nThis is almost standard for any ransomware and deletes all Windows shadow copy backups. Then the malware\r\ngets a list of services to be killed, as well as files and folders to be excluded from the encryption process, kills\r\nprocesses and starts encryption using separate working threads:\r\nhttps://securelist.com/a-bad-luck-blackcat/106254/\r\nPage 6 of 8\n\nEmbedded process list to kill\r\nThis particular sample was observed to be run with “–access-token xxx –no-prop-servers \\\\xxx –propagated”\r\ncommand line parameters. In addition to the activity detailed above, the malware will attempt to propagate, but\r\nwill not re-infect the server that it is attempting to run on. It will perform a hard stop on any IIS services hosted on\r\nthe system with “iisreset.exe /stop”, check the local area network for immediately reachable systems with “arp -a”,\r\nand increase the upper limit on the number of concurrent commands that can be outstanding between a client and\r\na server by increasing the MaxMpxCt to the maximum allowed with:\r\ncmd /c reg add\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters /v\r\nMaxMpxCt /d 65535 /t REG_DWORD /f\r\nAlso, it is notable that the group uses a compressed version of PsExec to spread laterally within an organization,\r\nas was observed with the remote execution of this sample.\r\nThe malware appends an extension to the encrypted files, but the exact extension varies from sample to sample.\r\nThe extension can be found hard-coded in the malware’s JSON formatted configuration file.\r\nFor encryption, the malware used the standard “BCryptGenRandom” Windows API function to generate\r\nencryption keys. AES or CHACHA20 algorithms are used for file encryption. The global public key that is used to\r\nhttps://securelist.com/a-bad-luck-blackcat/106254/\r\nPage 7 of 8\n\nencrypt local keys is extracted from the configuration file.\r\nMost of these executables maintain a hard-coded set of username/password combinations that were stolen earlier\r\nfrom the victim organization for use during propagation and privilege escalation. There often appears to be almost\r\nhalf a dozen accounts, and a combination of domain administrative and service level credentials. This means the\r\nindividual executable is compiled specifically for the target organization, containing sensitive information about\r\nthe organization.\r\nAfter the encryption process, the malware drops a ransomware note with details on how to contact the BlackCat\r\nransomware operators.\r\nConclusion\r\nAfter the REvil and BlackMatter groups shut down their operations, it was only a matter of time before another\r\nransomware group took over the niche. Knowledge of malware development, a new written-from-scratch sample\r\nin an unusual programming language, and experience in maintaining infrastructure is turning the BlackCat group\r\ninto a major player on the ransomware market.\r\nHere we present a new data point connecting BlackCat with past BlackMatter activity – the reuse of the\r\nexfiltration malware Fendr. The group modified the malware for a new set of victims collected from data stores\r\ncommonly seen in industrial network environments. BlackCat attempted to deploy the malware extensively within\r\nat least two organizations in December 2021 and January 2022. In the past, BlackMatter prioritized collection of\r\nsensitive information with Fendr to successfully support their double coercion scheme, just as BlackCat is now\r\ndoing, and it demonstrates a practical but brazen example of malware re-use to execute their multi-layered\r\nblackmail. The modification of this reused tool demonstrates a more sophisticated planning and development\r\nregimen for adapting requirements to target environments, characteristic of a more effective and experienced\r\ncriminal program.\r\nSource: https://securelist.com/a-bad-luck-blackcat/106254/\r\nhttps://securelist.com/a-bad-luck-blackcat/106254/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/a-bad-luck-blackcat/106254/"
	],
	"report_names": [
		"106254"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434861,
	"ts_updated_at": 1775826759,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/10ab57ac5bb17f73d29bf6aba739d80397a78a00.pdf",
		"text": "https://archive.orkl.eu/10ab57ac5bb17f73d29bf6aba739d80397a78a00.txt",
		"img": "https://archive.orkl.eu/10ab57ac5bb17f73d29bf6aba739d80397a78a00.jpg"
	}
}