{
	"id": "6e710a71-aaa1-43d9-9cab-60901eec1cc1",
	"created_at": "2026-04-06T00:15:41.623791Z",
	"updated_at": "2026-04-10T13:12:47.871891Z",
	"deleted_at": null,
	"sha1_hash": "919b7f01281b02ca2c200526a2936bae53fff786",
	"title": "BlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1868539,
	"plain_text": "BlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On\r\nThe Prowl For Victims\r\nBy Jim Walter\r\nPublished: 2022-01-18 · Archived: 2026-04-05 17:28:39 UTC\r\nBlackCat (aka AlphaVM, AlphaV) is a newly established RaaS (Ransomware as a Service) with payloads written in\r\nRust. While BlackCat is not the first ransomware written in the Rust language, it joins a small (yet growing) sliver of\r\nthe malware landscape making use of this popular cross-platform language.\r\nFirst appearing in late November, BlackCat has reportedly been attacking targets in multiple countries, including\r\nAustralia, India and the U.S, and demanding ransoms in the region of $400,000 to $3,000,000 in Bitcoin or Monero.\r\nBlackCat Ransomware Overview\r\nIn order to attract affiliates, the authors behind BlackCat have been heavily marketing their services in well-known\r\nunderground forums.\r\nBlackCat operators maintain a victim blog as is standard these days. The blog hosts company names and any data\r\nleaked in the event that the victims do not agree to cooperate.\r\nCurrent data indicates primary delivery of BlackCat is via 3rd party framework/toolset (e.g., Cobalt Strike) or via\r\nexposed (and vulnerable) applications. BlackCat currently supports both Windows and Linux operating systems.\r\nBlackCat Configuration Options\r\nSamples analyzed (to date ) require an “access token” to be supplied as a parameter upon execution. This is similar to\r\nthreats like Egregor, and is often used as an anti-analysis tactic. This ‘feature’ exists in both the Windows and Linux\r\nversions of BlackCat.\r\nHowever, the BlackCat samples we analyzed could be launched with any string supplied as the access token. For\r\nexample:\r\nMalware.exe -v --access-token 12345\r\nThe ransomware supports a visible command set, which can be obtained via the -h or --help parameters.\r\nhttps://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/\r\nPage 1 of 9\n\nBlackCat command line options\r\nAs seen above, the executable payloads support a variety of commands, many of which are VMware-centric.\r\n --no-prop               Do not self propagate(worm) on Windows\r\n --no-prop-servers \u003cNO_PROP_SERVERS\u003e Do not propagate to defined servers\r\n --no-vm-kill             Do not stop VMs on ESXi\r\n --no-vm-snapshot-kill         Do not wipe VMs snapshots on ESXi\r\n --no-wall               Do not update desktop wallpaper on Windows\r\nIn verbose mode ( -v ) the following output can be observed upon launch of the BlackCat payloads:\r\nBlackCat ransomware run in verbose mode\r\nBlackCat Execution and Encryption Behaviour\r\nImmediately upon launch, the malware will attempt to validate the existence of the previously mentioned access-token, followed by querying for the system UUID ( wmic ).\r\nhttps://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/\r\nPage 2 of 9\n\nThose pieces of data are concatenated together into what becomes the ‘Access key’ portion of their recovery URL\r\ndisplayed in the ransom note. In addition, on Windows devices, BlackCat attempts to delete VSS (Volume Shadow\r\nCopies) as well as enumerate any accessible drives to search for and encrypt eligible files.\r\nOther configuration parameters are evaluated before proceeding to execute multiple privilege escalation methods,\r\nbased on the OS identified by wmic earlier. These methods are visible at the time of execution and include the use of\r\nthe Com Elevation Moniker.\r\nIt is at this point that BlackCat will attempt to terminate any processes or services listed within the configuration such\r\nas any processes which may inhibit the encryption process. There are also specific files and directories that are\r\nexcluded from encryption. Much of this is configurable at the time of building the ransomware payloads.\r\nThe targeted processes and services are noted in the kill_processes and kill_services sections respectively. File\r\nand folder exclusions are handled in the exclude directory_names section.\r\nTo further illustrate, the following were extracted from sample d65a131fb2bd6d80d69fe7415dc1d1fd89290394 /\r\n74464797c5d2df81db2e06f86497b2127fda6766956f1b67b0dcea9570d8b683 :\r\nKill_Processes\r\nbackup memtas mepocs msexchange\r\nsql svc$ veeam vss\r\nKill_Services\r\nagntsvc dbeng50 dbsnmp encsvc\r\nexcel firefox infopath isqlplussvc\r\nmsaccess mspub mydesktopqos mydesktopservice\r\nnotepad ocautoupds ocomm ocssd\r\nonenote oracle outlook powerpnt\r\nsqbcoreservice sql steam synctime\r\ntbirdconfig thebat thunderbird visio\r\nwinword wordpad xfssvccon\r\nExclude_Directory_Names\r\n$recycle.bin $windows.~bt $windows.~ws 386\r\nadv all users ani appdata\r\napplication data autorun.inf bat bin\r\nhttps://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/\r\nPage 3 of 9\n\nboot boot.ini bootfont.bin bootsect.bak\r\ncab cmd com config.msi\r\ncpl cur default deskthemepack\r\ndiagcab diagcfg diagpkg dll\r\ndrv\r\nexclude_file_extensions:\r\n[themepack\r\nexclude_file_names:\r\n[desktop.ini\r\nexe\r\ngoogle hlp hta icl\r\nicns ico iconcache.db ics\r\nidx intel key ldf\r\nlnk lock mod mozilla\r\nmpa msc msi msocache\r\nmsp msstyles msu] nls\r\nnomedia ntldr ntuser.dat ntuser.dat.log]\r\nntuser.ini ocx pdb perflogs\r\nprf program files program files (x86) programdata\r\nps1 public rom rtp\r\nscr shs spl sys\r\nsystem volume\r\ninformation\r\ntheme thumbs.db tor browser\r\nwindows windows.old] wpx\r\nBlackCat also spawns a number of its own processes, with syntax (for Windows) as follows:\r\n WMIC.exe (CLI interpreter) csproduct get UUID\r\n cmd.exe (CLI interpreter) /c \"reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServ\r\n \r\n cmd.exe (CLI interpreter) /c \"wmic csproduct get UUID\"\r\n cmd.exe (fsutil.exe) /c \"fsutil behavior set SymlinkEvaluation R2L:1\"\r\n fsutil.exe behavior set SymlinkEvaluation R2L:1\r\n cmd.exe (fsutil.exe) /c \"fsutil behavior set SymlinkEvaluation R2R:1\"\r\nThe fsutil -based modifications are meant to allow for use of both remote and local symlinks. BlackCat enables\r\n‘remote to local’ and ‘remote to remote’ capability.\r\nhttps://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/\r\nPage 4 of 9\n\nfsutil.exe behavior set SymlinkEvaluation R2R:1\r\n cmd.exe (vssadmin.exe) /c \"vssadmin.exe delete shadows /all /quiet\"\r\n reg.exe (CLI interpreter) add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Pa\r\n cmd.exe (worldwideStrata.exe) /c \"C:\\Users\\admin1\\Desktop\\worldwideStrata.exe\"\r\n vssadmin.exe delete shadows /all /quietcmd.exe (ARP.EXE) /c \"arp -a\"\r\nSome more recently-built copies have a few additions. For example, in sample\r\nc1187fe0eaddee995773d6c66bcb558536e9b62c / c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40\r\nwe see the addition of:\r\n wmic.exe Shadowcopy Delete\"\r\n \"iisreset.exe /stop\"\r\n bcdedit.exe /set {default} recoveryenabled No\r\nMuch like other fine details, all this can be adjusted or configured by the affiliates at the time of building the\r\npayloads.\r\nBlackCat configurations are not necessarily tailored to the target operating system. In the Linux variants we have\r\nanalyzed to date, there are Windows-specific process, service, and file references in the kill_processes ,\r\nkill_services , and exclude_directory_names .\r\nThe following excerpt is from sample f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6 .\r\nLinux variant configuration\r\nSpecific encryption logic is not necessarily novel either and is somewhat configurable by the affiliate at the time of\r\nbuilding the ransomware payloads. BlackCat supports both ChaCha20 and AES encryption schemes.\r\nExtensions on encrypted files can vary across samples. Examples observed include .dkrpx75 , .kh1ftzx and\r\n.wpzlbji .\r\nhttps://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/\r\nPage 5 of 9\n\nBlackCat ransomware execution chain (Windows version)\r\nPost-Infection, Payment and Portal\r\nInfected clients will be greeted with a ransom note as well as a modified desktop image.\r\nBlackCat’s modified desktop image\r\nInfected uses are instructed to connect to the attackers’ payment portal via TOR.\r\nBlackCat ransom note\r\nhttps://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/\r\nPage 6 of 9\n\nThe ransom note informs the victim that not only have files been encrypted but data has been stolen.\r\nVictim’s are threatened with data leakage if they refuse to pay and provided with a list of data types that have been\r\nstolen.\r\nIn theory, once victims connect to the attacker’s portal, they are able to communicate and potentially acquire a\r\ndecryption tool. Everything on the BlackCat portal is tied back to the specific target ID, which must be supplied\r\ncorrectly from the URL in the ransom note.\r\nConclusion\r\nIn its relatively short time on the radar, BlackCat has carved a notable place for itself amongst mid-tier ransomware\r\nactors. This group knows their craft and are cautious when selecting partners or affiliates. It is possible that some of\r\nthe increased affiliation and activity around BlackCat is attributed to other actors migrating to BlackCat as larger\r\nplatforms fizzle out (Ryuk, Conti, LockBit and REvil).\r\nActors utilizing BlackCat know their targets well and make every attempt to stealthily compromise enterprises.\r\nPrevention by way of powerful, modern, endpoint security controls are a must. The SentinelOne Singularity Platform\r\nis capable of detecting and preventing BlackCat infections on both Windows and Linux endpoints.\r\nIndicators of Compromise\r\nSHA256\r\n0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479\r\n13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31\r\n15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed\r\n1af1ca666e48afc933e2eda0ae1d6e88ebd23d27c54fd1d882161fd8c70b678e\r\n28d7e6fe31dc00f82cb032ba29aad6429837ba5efb83c2ce4d31d565896e1169\r\nhttps://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/\r\nPage 7 of 9\n\n2cf54942e8cf0ef6296deaa7975618dadff0c32535295d3f0d5f577552229ffc\r\n38834b796ed025563774167716a477e9217d45e47def20facb027325f2a790d1\r\n3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83\r\n4e18f9293a6a72d5d42dad179b532407f45663098f959ea552ae43dbb9725cbf\r\n59868f4b346bd401e067380cac69080709c86e06fae219bfb5bc17605a71ab3f\r\n731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161\r\n74464797c5d2df81db2e06f86497b2127fda6766956f1b67b0dcea9570d8b683\r\n7b2449bb8be1b37a9d580c2592a67a759a3116fe640041d0f36dc93ca3db4487\r\n7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e\r\nbd337d4e83ab1c2cacb43e4569f977d188f1bb7c7a077026304bf186d49d4117\r\nc3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40\r\nc8b3b67ea4d7625f8b37ba59eed5c9406b3ef04b7a19b97e5dd5dab1bd59f283\r\ncefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae\r\nf815f5d6c85bcbc1ec071dd39532a20f5ce910989552d980d1d4346f57b75f89\r\nf8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6\r\nSHA1\r\n087497940a41d96e4e907b6dc92f75f4a38d861a\r\n11203786b17bb3873d46acae32a898c8dac09850\r\n2a53525eeb7b76b3d1bfe40ac349446f2add8784\r\n45212fa4501ede5af428563f8043c4ae40faec76\r\n57a6dfd2b021e5a4d4fe34a61bf3242ecee841b3\r\n5869820f261f76eafa1ba00af582a9225d005c89\r\n5c6ca5581a04955d8e4d1fa452621fbc922ecb7b\r\n655c2567650d2c109fab443de4b737294994f1fd\r\n783b2b053ef0345710cd2487e5184f29116e367c\r\n89060eff6db13e7455fee151205e972260e9522a\r\n9146a448463935b47e29155da74c68d16e0d7031\r\n94f025f3be089252692d58e54e3e926e09634e40\r\na186c08d3d10885ebb129b1a0d8ea0da056fc362\r\nc1187fe0eaddee995773d6c66bcb558536e9b62c\r\nce5540c0d2c54489737f3fefdbf72c889ac533a9\r\nd65a131fb2bd6d80d69fe7415dc1d1fd89290394\r\nda1e4a09a59565c5d62887e0e9a9f6f04a18b5f4\r\ne17dc8062742878b0b5ced2145311929f6f77abd\r\ne22436386688b5abe6780a462fd07cd12c3f3321\r\nf466b4d686d1fa9fed064507639b9306b0d80bbf\r\nMITRE ATT\u0026CK\r\nT1027.002 – Obfuscated Files or Information: Software Packing\r\nT1027 – Obfuscated Files or Information\r\nT1007 – System Service Discovery\r\nT1059 – Command and Scripting Interpreter\r\nTA0010 – Exfiltration\r\nhttps://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/\r\nPage 8 of 9\n\nT1082 – System Information Discovery\r\nT1490 – Inhibit System Recovery\r\nT1485 – Data Destruction\r\nT1078 – Valid Accounts\r\nT1486 – Data Encrypted For Impact\r\nT1140 – Encode/Decode Files or Information\r\nT1202 – Indirect Command Execution\r\nT1543.003 – Create or Modify System Process: Windows Service\r\nT1550.002 – Use Alternate Authentication Material: Pass the Hash\r\nSource: https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/\r\nhttps://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/"
	],
	"report_names": [
		"blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims"
	],
	"threat_actors": [],
	"ts_created_at": 1775434541,
	"ts_updated_at": 1775826767,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/919b7f01281b02ca2c200526a2936bae53fff786.pdf",
		"text": "https://archive.orkl.eu/919b7f01281b02ca2c200526a2936bae53fff786.txt",
		"img": "https://archive.orkl.eu/919b7f01281b02ca2c200526a2936bae53fff786.jpg"
	}
}