{ "id": "630b3437-5379-4064-85d8-550b0331d84e", "created_at": "2026-04-06T00:11:53.481286Z", "updated_at": "2026-04-10T13:12:28.36031Z", "deleted_at": null, "sha1_hash": "f8903406c3b8d3d8b1c2789fe36e843db4aefc23", "title": "TTPs Associated With a New Version of the BlackCat Ransomware - SecurityScorecard", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 859146, "plain_text": "TTPs Associated With a New Version of the BlackCat Ransomware\r\n- SecurityScorecard\r\nArchived: 2026-04-02 10:56:04 UTC\r\nIn this post, we describe a real engagement that we recently handled by giving details about the tools, techniques,\r\nand procedures (TTPs) used by this threat actor.\r\nExecutive summary\r\nThe BlackCat/ALPHV ransomware is a complex threat written in Rust that appeared in November 2021. In this\r\npost, we describe a real engagement that we recently handled by giving details about the tools, techniques, and\r\nprocedures (TTPs) used by this threat actor. Firstly, the attacker targeted an unpatched Microsoft Exchange server\r\nand successfully dropped webshells on the machine. After getting initial access, the ransomware installed the\r\nMobaXterm software and then started to dump the credentials using Mimikatz or by creating an LSASS dump file\r\nwith Process Hacker. The SoftPerfect Network scanner was used to perform network discovery. Before running\r\nthe ransomware executable, the TA compressed the targeted files using WinRAR or 7zip and then exfiltrated them\r\nusing rclone and MEGAsync.\r\nOur Digital Forensics and Incident Response (DFIR) team was engaged in investigating a ransomware infection.\r\nWe were able to determine that the ransomware involved is a new version of the BlackCat ransomware, based on\r\nthe fact that the malware added new command line parameters that were not documented before.\r\nAs shown in Figure 1, the ransomware added a parameter called “–safeboot” that is used to reboot in Safe Mode.\r\nWhether the malware is running with the “–sleep-restart” parameter, the process sleeps for a specified number of\r\nseconds and then restarts the machine.\r\nhttps://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware\r\nPage 1 of 5\n\nFigure 1\r\nA complete analysis of the BlackCat ransomware can be found here.\r\nBy accessing the onion link specified in the ransom note called “RECOVER-\u003cextension\u003e-FILES.txt”, the victim\r\nis presented with multiple tabs that contain information such as the ransom amount in Bitcoin and Monero, the\r\nhttps://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware\r\nPage 2 of 5\n\nthreat actor’s wallets addresses, a live chat, and a trial decrypt that can be used to decrypt a few files for free (see\r\nFigure 2).\r\nFigure 2\r\nInitial access\r\nAccording to our analysis, the entry point in the organization was an Exchange server that was vulnerable to\r\nMicrosoft Exchange vulnerabilities. Multiple webshells have been identified on the impacted server.\r\nRemote access tools\r\nAfter gaining access to the internal network, the ransomware installed the legitimate tools MobaXterm and\r\nmottynew.exe (MobaXterm terminal).\r\nLateral Movement\r\nAs we already know from the malware analysis of the ransomware, BlackCat steals credentials from the victim’s\r\nenvironment and incorporates them into its configuration (“credentials” field). Mimikatz was utilized to dump the\r\ncredentials, and then the malware pivots from one machine to another via Remote Desktop Protocol (RDP).\r\nhttps://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware\r\nPage 3 of 5\n\nAn old version of the SoftPerfect Network scanner was used to perform network scanning in order to discover\r\nadditional targets in the local network. Figure 3 reveals the interface of the network scanner:\r\nFigure 3\r\nData exfiltration\r\nOnce the threat actor decided which files to exfiltrate, the malware compressed them using WinRAR or 7zip. The\r\nransomware installed a tool called rclone that is utilized to upload data to cloud storage providers. A second tool\r\ncalled MEGAsync is also installed by the process, which can upload data to the MEGA Cloud Storage.\r\nWe’ve also observed the ransomware installing tools such as FileZilla and WinSCP that could be used to\r\nperform data exfiltration.\r\nOther tools installed\r\nWe’ve investigated and found out that the ransomware installed the cURL tool to download additional files.\r\nProcess Hacker was also installed by the malware and could be used to dump the memory of the LSASS process.\r\nIn the same directory with Process Hacker, the BlackCat ransomware dropped a copy of the PEView tool, which is\r\na viewer for Portable Executable (PE) files.\r\nhttps://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware\r\nPage 4 of 5\n\nConclusion\r\nBlackCat ransomware remains a serious threat because it targets Windows hosts, Linux hosts, and VMWare ESXi.\r\nThe access token that the malware is running with makes the automated analysis impossible and increases the\r\ndifficulty of the dynamic malware analysis. The usage of legitimate tools to perform malicious activities increases\r\nthe chance of not being detected by endpoint detection and response (EDR) or antivirus software.\r\nSecurityScorecard offers a 360-degree approach to security prevention and response. For more information,\r\nrequest a demo. SecurityScorecard’s threat research and intelligence could be the competitive advantage\r\norganizations need to stay ahead of today’s fast-moving threat actors.\r\nFor more custom insights on a regular basis through our team’s 100+ years of combined threat research and\r\ninvestigation experience, or more details on these findings and the other keywords that were provided,\r\nplease contact Ranell Gonzales for a discussion of our Cyber Risk Intelligence (CRI) offering. If you have already\r\nsuffered a breach, SecurityScorecard’s Digital Forensics Solutions can empower your post-breach actions.\r\nSource: https://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware\r\nhttps://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware" ], "report_names": [ "ttps-associated-with-new-version-of-blackcat-ransomware" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434313, "ts_updated_at": 1775826748, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f8903406c3b8d3d8b1c2789fe36e843db4aefc23.pdf", "text": "https://archive.orkl.eu/f8903406c3b8d3d8b1c2789fe36e843db4aefc23.txt", "img": "https://archive.orkl.eu/f8903406c3b8d3d8b1c2789fe36e843db4aefc23.jpg" } }