# A Deep Dive Into ALPHV/BlackCat Ransomware **[securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware](https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware)** Skip to main content [Support](https://support.securityscorecard.com/hc/en-us) [Login](https://platform.securityscorecard.io/#/start) [Contact](https://securityscorecard.com/company/contact-us) [Blog](https://securityscorecard.com/blog) [Languages](https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware) [English](https://securityscorecard.com/) [Français](https://securityscorecard.com/fr) [日本語](https://securityscorecard.com/jp) [Request a Demo](https://securityscorecard.com/request-a-demo) Interested in reading the report later? Download it. [Download Now](https://securityscorecard.pathfactory.com/cybersecurity/blackcatransomware_w) **Prepared by: Vlad Pasca, Senior Malware & Threat Analyst** ## Executive summary ALPHV/BlackCat is the first widely known ransomware written in Rust. The malware must run with an access token consisting of a 32-byte value (--access-token parameter), and other parameters can be specified. The ransomware comes with an encrypted configuration that ----- contains a list of services/processes to be stopped, a list of whitelisted directories/files/file extensions, and a list of stolen credentials from the victim environment. It deletes all Volume Shadow Copies, performs privilege escalation using the CMSTPLUA COM interface, and enables “remote to local” and “remote to remote” symbolic links on the victim’s machine. The files are encrypted using the AES algorithm, with the AES key being encrypted using the RSA public key contained in the configuration. The extension of the encrypted files is changed to uhwuvzu by the malware. ## Analysis and findings SHA256: 847fb7609f53ed334d5affbb07256c21cb5e6f68b1cc14004f5502d714d2a456 The malware can run with one of the following parameters: **Figure 1** Whether the ransomware is running with no parameters or with an invalid access token, an error message is displayed: **Figure 2** By performing the dynamic analysis, we’ve found that the access token must be a 32-byte value that is not unique. The binary registers a new top-level exception handler via a function call to SetUnhandledExceptionFilter: ----- **Figure 3** The AddVectoredExceptionHandler API is utilized to register a vectored exception handler: **Figure 4** The executable retrieves the command-line string for the process using the GetCommandLineW function: **Figure 5** BlackCat opens the "SOFTWARE\Microsoft\Cryptography" registry key by calling the RegOpenKeyExW routine (0x80000002 = HKEY_LOCAL_MACHINE, 0x20019 = **KEY_READ):** **Figure 6** The binary extracts the MachineGUID value from the registry: **Figure 7** The malicious process searches for cmd.exe in the current directory and then in the System32 directory via a function call to CreateFileW (0x7 = FILE_SHARE_DELETE | **FILE_SHARE_WRITE | FILE_SHARE_READ, 0x3 = OPEN_EXISTING, 0x2000000 =** **FILE_FLAG_BACKUP_SEMANTICS):** ----- **Figure 8** The executable generates 16 random bytes by calling the BCryptGenRandom API (0x2 = **BCRYPT_USE_SYSTEM_PREFERRED_RNG):** **Figure 9** A named pipe whose name contains the current process ID and random bytes generated above is created using CreateNamedPipeW (0x40080001 = FILE_FLAG_OVERLAPPED | **FILE_FLAG_FIRST_PIPE_INSTANCE | PIPE_ACCESS_INBOUND, 0x8 =** **PIPE_REJECT_REMOTE_CLIENTS):** **Figure 10** The process opens the named pipe for writing using the CreateFileW routine (0x40000000 = **GENERIC_WRITE, 0x3 = OPEN_EXISTING):** **Figure 11** ----- The ransomware creates a read and a write named pipe, respectively. The wmic process is used to extract the UUID (0x08000400 = CREATE_NO_WINDOW | **CREATE_UNICODE_ENVIRONMENT):** **Figure 12** The CreateEventW API is utilized to create two unnamed event objects: **Figure 13** The binary waits until the event objects are in the signaled state by calling WaitForMultipleObjects: **Figure 14** The output of the above process is read from the named pipe using the ReadFile routine: **Figure 15** The malware creates multiple threads by calling the CreateThread function (0x00010000 = **STACK_SIZE_PARAM_IS_A_RESERVATION):** ----- **Figure 16** The content of the ransom note and the text that will appear on the Desktop Wallpaper are decrypted by the ransomware: **Figure 17** **Figure 18** The malicious binary obtains information about the current system via a function call to GetSystemInfo: **Figure 19** There is a call to SHTestTokenMembership that verifies whether the user token is a member of the Administrators group in the built-in domain (0x220 = DOMAIN_ALIAS_RID_ADMINS): **Figure 20** The process opens the access token associated with the current process (0x80000000 = **GENERIC_READ):** ----- **Figure 21** BlackCat extracts a TOKEN_GROUPS structure containing the group accounts associated with the above token using the NtQueryInformationToken function (0x2 = TokenGroups): **Figure 22** The OpenProcess API is utilized to open a local process object (0x438 = **PROCESS_QUERY_INFORMATION | PROCESS_VM_WRITE | PROCESS_VM_READ |** **PROCESS_VM_OPERATION):** **Figure 23** The malicious binary retrieves a pointer to a PEB structure using the ZwQueryInformationProcess routine (0x0 = ProcessBasicInformation): **Figure 24** The executable retrieves a pointer to a PEB_LDR_DATA structure containing information about the loaded modules in the process and then to the head of a doubly linked list that contains the loaded modules: **Figure 25** ----- **Figure 26** The path of the image file for the current process is retrieved using ReadProcessMemory: **Figure 27** ## Privilege escalation via UAC bypass using CMSTPLUA COM interface The ransomware initializes the COM library for use by the current thread via a call to CoInitializeEx (0x2 = COINIT_APARTMENTTHREADED): **Figure 28** BlackCat ransomware uses the auto-elevated CMSTPLUA interface {3E5FC7F9-9A51-4367**9063-A120244FBEC7} in order to escalate privileges:** **Figure 29** The initial executable is spawned with administrative privileges: ----- **Figure 30** The LookupPrivilegeValueW routine is utilized to retrieve the locally unique identifier that represents the following privileges: SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemProfilePrivilege SeSystemtimePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeCreatePagefilePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeChangeNotifyPrivilege SeRemoteShutdownPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeIncreaseWorkingSetPrivilege SeTimeZonePrivilege SeCreateSymbolicLinkPrivilege SeDelegateSessionUserImpersonatePrivilege **Figure 31** All the above privileges are enabled in the access token using AdjustTokenPrivileges: **Figure 32** The binary creates the following processes that enable “remote to local” and “remote to remote” symbolic links on the local machine: ----- **Figure 33** **Figure 34** The malware tries to stop the Internet Information service (IIS) using IISReset.exe: **Figure 35** The ransomware deletes all volume shadow copies using the vssadmin.exe utility: ----- **Figure 36** There is also a second process that is responsible for deleting all volume shadow copies with wmic: **Figure 37** Interestingly, the malware runs the following command that is incomplete and returns an error: **Figure 38** **Figure 39** The binary disables Automatic Repair using the bcdedit tool: ----- **Figure 40** The ransomware tries to clear all event logs, however, the command is incorrect and returns an error, as highlighted below: **Figure 41** **Figure 42** ## Killing targeted services The binary opens the service control manager database via a function call to OpenSCManagerW (0xF003F = SC_MANAGER_ALL_ACCESS): **Figure 43** The process obtains a list of active services using EnumServicesStatusExW (0x30 = **SERVICE_WIN32, 0x1 = SERVICE_ACTIVE):** ----- **Figure 44** The malware targets the list of services from the kill_services element in the BlackCat configuration. A targeted service is opened by calling the OpenServiceW routine (0x2c = SERVICE_STOP | **SERVICE_ENUMERATE_DEPENDENTS | SERVICE_QUERY_STATUS):** **Figure 45** EnumDependentServicesW is utilized to retrieve the active services that depend on the targeted service (0x1 = SERVICE_ACTIVE): **Figure 46** BlackCat stops the targeted service using the ControlService function (0x1 = **SERVICE_CONTROL_STOP):** **Figure 47** ## Killing targeted processes The executable takes a snapshot of all processes and threads in the system (0xF = **TH32CS SNAPALL):** ----- **Figure 48** The processes are enumerated using the Process32FirstW and Process32NextW APIs: **Figure 49** **Figure 50** The malware targets the list of processes from the kill_processes element in the BlackCat configuration. It opens a targeted process using OpenProcess (0x1 = PROCESS_TERMINATE): **Figure 51** The ransomware terminates the targeted process by calling the TerminateProcess API: **Figure 52** The binary spawns multiple child processes by adding the “--child” parameter to the command line (see figure 53). The new processes run in the security context of credentials that were specified in the credentials entry from the BlackCat configuration. ----- **Figure 53** The number of network requests the Server Service can make is set to the maximum by modifying “HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\MaxMpxCt” Registry value: **Figure 54** The malicious process obtains the ARP table using the arp command, as shown below: **Figure 55** ----- The net use command is utilized to connect to the local computer using different credentials stored in the BlackCat configuration: **Figure 56** The malware retrieves the currently available disk drives by calling the GetLogicalDrives routine: **Figure 57** The GetDriveTypeW API is utilized to obtain the drive type: **Figure 58** The ransomware starts scanning the volumes on the local machine using FindFirstVolumeW: **Figure 59** The list of drive letters and mounted folder paths for the above volume is extracted by the malware: **Figure 60** ----- The volume s enumeration continues by calling the FindNextVolumeW function: **Figure 61** All unmounted volumes are mounted via a function call to SetVolumeMountPointW: **Figure 62** BlackCat traverses the file system using the FindFirstFileW and FindNextFileW APIs: **Figure 63** **Figure 64** The BlackCat configuration is stored in JSON form and is decrypted at runtime. It contains: the extension appended to the encrypted files RSA public key that is used to encrypt the AES encryption key ransom note name and content stolen credentials specific to the victim’s environment encryption cipher: AES list of services and processes to be killed list of folders, files, and extensions to be skipped boolean values that indicate network discovery, lateral movement, setting the Desktop Wallpaper, killing VMware ESXi virtual machines, removing VMware ESXi virtual machine snapshots, excluding VMware ESXi virtual machines from termination ----- **Figure 65** ## Files encryption The CreateFileW API is used to open a targeted file (0xC0000000 = GENERIC_READ | **GENERIC_WRITE, 0x7 = FILE_SHARE_DELETE | FILE_SHARE_WRITE |** **FILE_SHARE_READ, 0x3 = OPEN_EXISTING):** **Figure 66** The ransom note is created in every traversed directory (0x40000000 = GENERIC_WRITE, 0x7 = FILE_SHARE_DELETE | FILE_SHARE_WRITE | FILE_SHARE_READ, 0x2 = **CREATE_ALWAYS):** **Figure 67** The ransom note is populated using the WriteFile routine: ----- **Figure 68** **Figure 69** The file’s extension is changed using the MoveFileExW function. The renamed file is opened using CreateFileW (0x7 = FILE_SHARE_DELETE | FILE_SHARE_WRITE | **FILE_SHARE_READ, 0x3 = OPEN_EXISTING, 0x02000000 =** **FILE_FLAG_BACKUP_SEMANTICS):** **Figure 70** Interestingly, BlackCat creates intermediary files called “checkpoints-” during the encryption process: **Figure 71** ----- The malware generates 16 random bytes that will be used to derive the AES key: **Figure 72** The ransomware moves the file pointer to the beginning of the file by calling the SetFilePointerEx API (0x0 = FILE_BEGIN): **Figure 73** The process reads 4 bytes from the beginning of the file using ReadFile: **Figure 74** A JSON form containing the encryption cipher (AES), the AES key used to encrypt the file, the data, and the chunk size, is constructed in the process memory: **Figure 75** The binary generates 0x50 (80) random bytes that are used to border the JSON form. The resulting buffer has a size of 256 bytes and is rotated using instructions such as pshuflw: **Figure 76** ----- **Figure 77** A 4-byte border "19 47 B2 CE" that separates the encrypted file content from the encrypted AES key is written to the file: **Figure 78** The buffer that contains the AES key presented in figure 77 is encrypted with the RSA public key from the BlackCat configuration. The result is written to the file using WriteFile: **Figure 79** The size of encrypted key (0x100) is written to the file: **Figure 80** The file content is read by using the ReadFile function: ----- **Figure 81** The file content is encrypted using the AES-128 algorithm. The malware uses the aesenc and aesenclast instructions for this purpose: **Figure 82** **Figure 83** The encrypted file content is written back to the file using WriteFile: **Figure 84** An example of an encrypted file is displayed below: ----- **Figure 85** The ransomware creates a PNG image called “RECOVER-uhwuvzu-FILES.txt.png”: **Figure 86** **Figure 87** ----- The Desktop wallpaper is changed to the above image by calling the SystemParametersInfoW API (0x14 = SPI_SETDESKWALLPAPER, 0x3 = **SPIF_UPDATEINIFILE | SPIF_SENDCHANGE):** **Figure 88** ## Running with the --verbose parameter The ransomware writes multiple actions to the command line output: **Figure 89** ## Running with the --extra-verbose --ui parameters The malware presents the relevant information in the following window: **Figure 90** ## Indicators of Compromise **Pipe** \\.\pipe\__rust_anonymous_pipe1__.. **BlackCat Ransom Note** RECOVER-uhwuvzu-FILES.txt ----- **Files created** checkpoints-.uhwuvzu RECOVER-uhwuvzu-FILES.txt.png **Processes spawned** cmd.exe /c "wmic csproduct get UUID" cmd.exe /c "fsutil behavior set SymlinkEvaluation R2L:1” cmd.exe /c “fsutil behavior set SymlinkEvaluation R2R:1” cmd.exe /c “iisreset.exe /stop” cmd.exe /c “vssadmin.exe Delete Shadows /all /quiet” cmd.exe /c “wmic.exe Shadowcopy Delete” cmd.exe /c “bcdedit /set {default}” cmd.exe /c “bcdedit /set {default} recoveryenabled No” cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl %1 cmd.exe /c “reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f” cmd.exe /c “arp -a” ALPHV/BlackCat is the first widely known ransomware written in Rust. The malware must run with an access token consisting of a 32-byte value (--access-token parameter), and other parameters can be specified. The ransomware comes with an encrypted configuration that contains a list of services/processes to be stopped, a list of whitelisted directories/files/file extensions, and a list of stolen credentials from the victim environment. It deletes all Volume Shadow Copies, performs privilege escalation using the CMSTPLUA COM interface, and enables “remote to local” and “remote to remote” symbolic links on the victim’s machine. The files are encrypted using the AES algorithm, with the AES key being encrypted using the RSA public key contained in the configuration. The extension of the encrypted files is changed to uhwuvzu by the malware. ----- [Download Now](https://securityscorecard.pathfactory.com/cybersecurity/blackcatransomware_w) Join us in making the world a safer place. [Free Account Sign Up](https://securityscorecard.com/free-account) -----