# Cybereason vs. BlackCat Ransomware **cybereason.com/blog/cybereason-vs.-blackcat-ransomware** Written By Cybereason Nocturnus March 1, 2022 | 7 minute read ----- Since its first emergence in November 2021, the Cybereason Nocturnus team has been tracking [the BlackCat Ransomware (aka ALPHV), which has been called “2021’s most sophisticated](https://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/) ransomware”. BlackCat ransomware gained notoriety quickly leaving a trail of destruction behind it, among its recent victims are German [oil companies, an](https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/) [Italian luxury fashion brand and a](https://www.secureblink.com/cyber-security-news/moncler-group-becomes-the-first-victim-of-alphv-(blackcat)-raas-following-the-data-leak) Swiss Aviation company. _The Cybereason XDR Platform Detects and Blocks BlackCat Ransomware_ Since its recent emergence, BlackCat has attacked various industries, including telecommunication, commercial services, insurance, retail, machinery, pharmaceuticals, transportation, and construction industries. Among the affected regions are Germany, France, Spain, the Philippines, and the Netherlands, with the most victims being located in the US. The ransomware was given the name “BlackCat” due to the favicon of a black cat being used on every victim's Tor payment site. The operators of BlackCat have been using the names “alphv” and “ransom” in Cybercrime forums (ramp_v2, exploit.in) in order to recruit affiliates. The operators of the ransomware appear to be from Russian speaking regions. Like many others, BlackCat uses a RaaS model (Ransomware-as-a-service). Affiliates of BlackCat are offered between 80-90% of the ransom payment, and once approved, are given access to a control panel that manages access: _Leaked document from BlackCat Leaks website_ [One of the unique elements of the BlackCat ransomware is that it is written in Rust, which is not a](https://www.rust-lang.org/) common coding language for malware and ransomware. “Rust is a multi-paradigm, general_purpose programming language designed for performance and safety.”_ Because of Rust’s emphasis on performance, the process of encryption is very fast, and in addition, Rust is cross-platform, which makes it easier to create variants for both Windows and Linux. ----- [The operators of BlackCat confirmed that they are affiliates of](https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-linked-to-blackmatter-darkside-gangs/) [DarkSide/BlackMatter ransomware](https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware) [gang. They claim to be apolitical in regards to geopolitical relations and to refrain from attacking](https://therecord.media/an-alphv-blackcat-representative-discusses-the-groups-plans-for-a-ransomware-meta-universe/) medical institutions and hospitals. The group has adopted the popular double extortion paradigm, which means that in addition to encrypting files, they also steal them and later threaten to publish stolen data unless the ransom is paid. In some cases even, triple extortion is used - threatening to perform DDOS attacks. ## Key Details **Sophisticated Ransomware: BlackCat has been called “2021’s most sophisticated** ransomware **High Severity: The** [Cybereason Nocturnus Team assesses the threat level as HIGH given](https://www.cybereason.com/blog/authors/cybereason-nocturnus) the destructive potential of the attacks. **Developed in Rust: BlackCat was developed in rust which is unusual for ransomware.** **Triple Extortion: The BlackCat operators used double extortion and sometimes triple** extortion to make victims pay the ransom **Shared Infrastructure with LockBit: BlackCat has shared infrastructure, and used similar** tools and naming conventions as the LockBit ransomware. **Detected and Prevented:** [The Cybereason XDR Platform fully detects and prevents the](https://www.cybereason.com/platform) Lorenz ransomware. ## Technical Analysis ### Breaking down BlackCat Ransomware The BlackCat ransomware has both Windows and Linux variants. The ransomware includes multiple execution flags which grant its operators control over operations like whether to stop executions of virtual machines or if the ransomware should change the desktop wallpaper or not: ----- _BlackCat help menu_ In order to execute properly, BlackCat must be executed with the “--access-token” flag, although the value of the string that is passed on to it can be any string. Upon execution, BlackCat may attempt to perform Privilege escalation in the following manners: UAC bypass by abusing the Connection Manager Admin API Helper for Setup COM interface (cmstplua.dll) [Abusing CVE-2016-0099 (Secondary Logon Service exploit)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0099) Adjusting access token token privileges Next, BlackCat checks the UUID (universally unique identifier) of the machine by running a WMI command, which is used later for the recovery URL in the ransom note: _wmic csproduct get UUID_ [BlackCat enables local and remote symbolic links on the infected machine. A symbolic link is a](https://en.wikipedia.org/wiki/Symbolic_link) type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt: _fsutil behavior set SymlinkEvaluation R2L:1_ _fsutil behavior set SymlinkEvaluation R2R:1_ BlackCat also attempts to stop Internet services on the infected machine using the iisreset.exe: _iisreset.exe /stop_ ----- The ransomware changes the number of outstanding requests that can be maintained. An outstanding request is a request that is still waiting for a response. These are used when performing SMB requests, the change is probably done to raise the number of possible PsExec requests the machine could make so the ransomware may spread: _reg add_ _HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters_ _/v MaxMpxCt /d 65535 /t REG_DWORD /f_ Then, it deletes the shadow copies from the infected machine using both “vssadmin” and “wmic”: _vssadmin.exe delete shadows /all /quiet_ wmic shaodwcopy delete _BlackCat Execution as seen in the Cybereason XDR Platform_ BlackCat enumerates all local disk partitions on the infected machine, and any hidden partition that is found is mounted in order to make it possible to encrypt more files. The ransomware also attempts to propagate through the network via the use of the “net use” command and PsExec which is embedded inside the BlackCat executable. The ransomware executes the tools using credentials that are configured in the ransomware config: _Credentials in the configuration_ Additionally, BlackCat disables windows’ automatic repair and clears the machine's event log, by running the following commands: _bcdedit /set {default} recoveryenabled No_ _cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"_ ----- In order to maximize the number of encrypted files, BlackCat attempts to kill several processes and services on the machine in order to decrease the number of locked files that are not accessible due to another program (full list in appendix). In addition, BlackCat’s configuration includes a list of directories to be excluded from encryption. (see appendix): _BlackCat Configuration_ To encrypt the files, BlackCat may use AES or ChaCha20 for encryption, based on the configuration. It drops a ransom note titled : “RECOVER-[encrypted file extension]- FILES.txt” in each folder and in the end, the ransomware changes the desktops wallpaper: _Wallpaper after BlackCat change_ ----- _BlackCat ransom note_ **Linux variant specific commands** The Linux variant was observed executing commands in order to delete VMware ESXi snapshots. The ransomware generates a list of running virtual machines: _esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list_ Each virtual machine is then terminates using the command: _awk -F "\"*,\"*" '{system("esxcli vm process kill --type=force --world-id="$1)}'_ Finally all snapshots of the virtual machines are deleted: _for i in `vim-cmd vmsvc/getallvms| awk '{print$1}'`;do vim-cmd vmsvc/snapshot.removeall $i_ _& done_ ## BlackCat and LockBit Connection The Nocturnus team observed interesting overlaps between tools and infrastructure used by BlackCat ransomware and LockBit ransomware. The Nocturnus team analyzed a .NET written launcher named “setup.exe” that is used to download and execute BlackCat ransomware. The launcher contains the following PDB path: “D:\my\Documents\Visual Studio 2019\setup\obj\Release\setup.pdb”. When searching for files that share the PDB, we encountered several additional malware with the same name that have remarkable similarities to the BlackCat launcher. When examining the code and Infrastructure of these malware, we see overlaps between BlackCat infrastructure and LockBit infrastructure. **BlackCat Launcher** ----- The launcher downloads the BlackCat executable from the C2 and executes it using the -access-token” argument, which is required in order to run BlackCat: _BlackCat Launcher code_ Additionally, the tool collects basic profiling information about the infected machine and uploads it to the C2. The information collected is: A screen capture Username OS name OS language Timezone Windows UUID Keyboard language Installed users Installed software Drives **LockBit Profiler Tool** The Nocturnus team discovered striking similarities with the BlackCat launcher and a profiler associated with LockBit ransomware. The profiler variants which are linked to LockBit use almost the same code as the BlackCat launcher, except for slight variations. ----- The only difference in functionality is that they do not attempt to download anything, they only collect profiling data, with the difference being that instead of collecting the machine’s “Windows UUID”, the profiler checks if LockBit is already installed on the machine: _Left: LockBit profiler code Right: BlackCat Launcher code_ When checking the Infrastructure used by these tools, we see connections and similarities in the IP addresses, URI structure, and file names: ----- _BlackCat and LockBot infrastructure comparison_ All the IP addresses that are used by the BlackCat launcher and LockBit profiler, share the URI paths “files” and “upload”. In addition, BlackCat and LockBit samples sometimes share file names. For example, we observed BlackCat samples with the name: “test_4mmc_x86_32_windows_encrypt_app.exe” and LockBit samples with the name “4mmc.exe” Another example of shared file names is a LockBit sample named “screensaver.exe”, which is also the default name used for the BlackCat executable that is downloaded using the launcher: _“Screensaver.exe” used in BlackCat Launcher_ This connection between some of the tools and infrastructure between BlackCat ransomware and LockBit ransomware might indicate sharing of code and tools between cybercriminals, or there could be individuals that worked for both ransomware operators: ----- _BlackCat and LockBit Infrastructure map_ ## CYBEREASON DETECTION AND PREVENTION The Cybereason XDR Platform is able to prevent the execution of the BlackCat Ransomware using multi-layer protection that detects and blocks malware with threat intelligence, machine learning, and next-gen antivirus (NGAV) capabilities. Additionally, when the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform are able to detect and prevent any attempt to encrypt files and generates a MalOp for it: ----- _Cybereason Detects and Blocks BlackCat Ransomware_ ## SECURITY RECOMMENDATIONS **Enable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-** Ransomware protection mode to Prevent - more information for Cybereason customers can be found here **Enable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode** to Prevent and set the detection mode to Moderate and above - more information for Cybereason customers can be found here **Keep Systems Fully Patched: Make sure your systems are patched in order to mitigate** vulnerabilities **Regularly Backup Files to a Remote Server: Restoring your files from a backup is the** fastest way to regain access to your data **Use Security Solutions: Protect your environment using organizational firewalls, proxies,** web filtering, and mail filtering ## MITRE ATT&CK BREAKDOWN **Reconnaissance** **Execution** **Privilege** **Escalation** **Discovery** **Lateral** **Movement** **Collection** **Impact** Gather Victim Host Information ## Appendix **Process to kill list:** Commandline interface Signed [Binary Proxy](https://attack.mitre.org/techniques/T1218/) Execution Access Token Manipulation Exploitation [for Privilege](https://attack.mitre.org/techniques/T1068/) Escalation Process Discovery System [Service](https://attack.mitre.org/techniques/T1007/) Discovery File and [Directory](https://attack.mitre.org/techniques/T1083/) Discovery Lateral Tool Transfer Data from [Local](https://attack.mitre.org/techniques/T1005/) System Data [Encrypted](https://attack.mitre.org/techniques/T1486/) for Impact Service Stop Inhibit [System](https://attack.mitre.org/techniques/T1490/) Recovery ----- agntsvc, dbeng50, dbsnmp, encsvc, excel, firefox, infopath, isqlplussvc, msaccess, mspub, mydesktopqos, mydesktopservice, notepad, ocautoupds, ocomm, ocssd, onenote, oracle, outlook, powerpnt, sqbcoreservice, sql, steam, synctime, tbirdconfig, thebat, thunderbird, visio, winword, wordpad, xfssvccon, *sql*, bedbh, vxmon, benetns, bengien, pvlsvr, beserver, raw_agent_svc, vsnapvss, CagService, QBIDPService, QBDBMgrN, QBCFMonitorService, SAP, TeamViewer_Service, TeamViewer, tv_w32, tv_x64, CVMountd, cvd, cvfwd, CVODS, saphostexec, saposcol, sapstartsrv, avagent, avscc, DellSystemDetect, EnterpriseClient, VeeamNFSSvc, VeeamTransportSvc, VeeamDeploymentSvc **Services to kill list:** mepocs, memtas, veeam, svc$, backup, sql, vss, msexchange, sql$, mysql, mysql$, sophos, MSExchange, MSExchange$, WSBExchange, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, GxBlr, GxVss, GxClMgrS, GxCVD, GxCIMgr, GXMMM, GxVssHWProv, GxFWD, SAPService, SAP, SAP$, SAPD$, SAPHostControl, SAPHostExec, QBCFMonitorService, QBDBMgrN, QBIDPService, AcronisAgent, VeeamNFSSvc, VeeamDeploymentService, VeeamTransportSvc, MVArmor, MVarmor64, VSNAPVSS, AcrSch2Svc ## About the Researchers Tom Fakterman Tom Fakterman, Cyber Security Analyst with the Cybereason Nocturnus Research Team, specializes in protecting critical networks and incident response. Tom has experience in researching malware, computer forensics and developing scripts and tools for automated cyber investigations. Ohav Peri ----- Ohav Peri, cyber security analyst with the Cybereason Nocturnus Research Team, focusing on malware analysis and defense platforms research. Ohav began his career as a security researcher and software engineer in the intelligence corps of the IDF. ## Indicators of Compromise BlackCat Ransomware BlackCat Windows Variant: d42566e04d295a1e9e2823d202a1800cdc1ddd77 5869820f261f76eafa1ba00af582a9225d005c89 a8fd52bd107f7b62483c11c15923fbd2256c8bac 0c7215c4325ded8139ea2f0428412f17e6c8f957 c5181892afde538c73109b4c83e2a2730eb9014d e17dc8062742878b0b5ced2145311929f6f77abd 11203786b17bb3873d46acae32a898c8dac09850 45212fa4501ede5af428563f8043c4ae40faec76 3e794a584d75c2ceb07287fe450dcdc4d7ce949a e22436386688b5abe6780a462fd07cd12c3f3321 a186c08d3d10885ebb129b1a0d8ea0da056fc362 da1e4a09a59565c5d62887e0e9a9f6f04a18b5f4 57a6dfd2b021e5a4d4fe34a61bf3242ecee841b3 f95d865ef06f382bc9599a8093308afb9007ab89 8917af3878fa49fe4ec930230b881ff0ae8d19c9 94f025f3be089252692d58e54e3e926e09634e40 5c6ca5581a04955d8e4d1fa452621fbc922ecb7b f466b4d686d1fa9fed064507639b9306b0d80bbf d42566e04d295a1e9e2823d202a1800cdc1ddd77 a186c08d3d10885ebb129b1a0d8ea0da056fc362 e22436386688b5abe6780a462fd07cd12c3f3321 5869820f261f76eafa1ba00af582a9225d005c89 a8fd52bd107f7b62483c11c15923fbd2256c8bac 0c7215c4325ded8139ea2f0428412f17e6c8f957 c5181892afde538c73109b4c83e2a2730eb9014d e17dc8062742878b0b5ced2145311929f6f77abd 11203786b17bb3873d46acae32a898c8dac09850 3e794a584d75c2ceb07287fe450dcdc4d7ce949a 2a53525eeb7b76b3d1bfe40ac349446f2add8784 087497940a41d96e4e907b6dc92f75f4a38d861a da1e4a09a59565c5d62887e0e9a9f6f04a18b5f4 57a6dfd2b021e5a4d4fe34a61bf3242ecee841b3 f95d865ef06f382bc9599a8093308afb9007ab89 8917af3878fa49fe4ec930230b881ff0ae8d19c9 655c2567650d2c109fab443de4b737294994f1fd ----- ## dd69b20eb1931487d8b65060f2be3671bd5baf33 75b6eb3cc65a608abd9a96a3c5d158c944aadb15 1d6e2aeed499eb7d317b92b42d4a784b22d02dc6 c5acefee89cdbf24e99d311f804615aedef8f3df f466b4d686d1fa9fed064507639b9306b0d80bbf 77413cb3f469d00d69941b4973206e4978381987 74845c914cc9525604ff06212f50b99386240183 a03d9e0baa0c7b71b2ed3afe38fb6ddeb346e030 38fa2979382615bbee32d1f58295447c33ca4316 dc963d8beb490d00261280dc5a9bc9cc700da602 324c6626ab70399ef9864542ddbeedfb8fbddfb5 087497940a41d96e4e907b6dc92f75f4a38d861a 2a53525eeb7b76b3d1bfe40ac349446f2add8784 ce5540c0d2c54489737f3fefdbf72c889ac533a9 c1187fe0eaddee995773d6c66bcb558536e9b62c 783b2b053ef0345710cd2487e5184f29116e367c 655c2567650d2c109fab443de4b737294994f1fd 89060eff6db13e7455fee151205e972260e9522a 94f025f3be089252692d58e54e3e926e09634e40 5c6ca5581a04955d8e4d1fa452621fbc922ecb7b ce5540c0d2c54489737f3fefdbf72c889ac533a9 c1187fe0eaddee995773d6c66bcb558536e9b62c 783b2b053ef0345710cd2487e5184f29116e367c 89060eff6db13e7455fee151205e972260e9522a 324c6626ab70399ef9864542ddbeedfb8fbddfb5 dc963d8beb490d00261280dc5a9bc9cc700da602 38fa2979382615bbee32d1f58295447c33ca4316 a03d9e0baa0c7b71b2ed3afe38fb6ddeb346e030 77413cb3f469d00d69941b4973206e4978381987 74845c914cc9525604ff06212f50b99386240183 c5acefee89cdbf24e99d311f804615aedef8f3df 1d6e2aeed499eb7d317b92b42d4a784b22d02dc6 75b6eb3cc65a608abd9a96a3c5d158c944aadb15 7af51a9e6245415d18be46142f2400a421f19d3a dd69b20eb1931487d8b65060f2be3671bd5baf33 71e6aa313f9d64086d68d1c0048420fa5c778165 026720fca026d971b16d1990146ef6462e8c1664 3d385b316df5d37d39b10113a67080fc1516e0c9 bf41f2014cfbfdd683ba4e259b004bce3b54e3ea 23006c877ccc883460497ad35df82e64f338cfc9 ----- ### BlackCat Linux Variant: 9146a448463935b47e29155da74c68d16e0d7031 36dff07387cf3f2393339d30d0672fcbccc7a73c 6116a5b0c0b6c147a2c715aad2eb1cd082941715 fd0d6046d6e3096bd38df9aa539d4b5502db9f85 5ac485d60fe2c096b10cda2624588427928e3f0d 362aa21546904629b28a56c9d5c4bfd3b53296f5 BlackCat Launcher: 42c1f2d3043b5c7f247e6f9dd83aeede3b6c1d13 LockBit Profiler: 67fc605754f3e7304dda8c99f0d7d5003835a5d3 b5990b0ed62515dc92f5c255329987bdc90fde53 1b5a7211694c49615eef76555795bef5a7573a35 ab5444d23dd45d0292de899561026777c494b01c e10dfc54c2fbd2cb8a0a3845fde7ff3ee93634c2 0c1365b9c2eb3a5bc14426fbab72cafd23ee3ce6 4064adbed7b3bbc4cb032de3c5b5279c7a2b34e6 Blackcat IP Addresses: 141.136.44.54 LockBit IP Addresses: 188.120.247.108 45.9.190.135 185.43.7.120 About the Author **Cybereason Nocturnus** ----- The Cybereason Nocturnus Team has brought the world s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks. [All Posts by Cybereason Nocturnus](https://www.cybereason.com/blog/authors/cybereason-nocturnus) -----