After several notable ransomware attacks against major enterprises, the BlackCat gang is drawing the attention of security researchers who have connected it to other groups.
With a string of recent high-profile attacks, the BlackCat ransomware gang is emerging as one of the major players in the threat landscape.
BlackCat, or “ALPHV,” an apparent descendant of the BlackMatter ransomware group, has operating since at least November and has launched major attacks such as the disruption of OilTanking GmbH, a German fuel company, in January and the February attack on aviation company Swissport. Most recently, the ransomware group has claimed responsibility for attacks against two universities in the U.S., Florida International University and the University of North Carolina A&T.
The FBI on Wednesday published a flash alert about BlackCat ransomware that included indicators of compromise. The FBI said the ransomware gang has attacked at least 60 organizations across the globe as of last month, often using “previously compromised user credentials” to gain access to victims’ networks.
Matthew Radolec, senior director of incident response and cloud operations at Varonis, told SearchSecurity that most of BlackCat’s attacks come from the increasingly common ransomware as a service (RaaS) model.
“If we if we look at 2021 to today, we do have a change that was started by REvil,” Radolec said. “This concept of ransomware as a service is gaining in popularity and I think that is one of the fundamental differences. We’re talking about people that are creating a toolkit, and they are encouraging and recruiting operators almost like a SaaS company; they are offering a ransomware-as-a-service toolkit to deliver your own ransomware where they create the software for you.”
While the group has not claimed the same volume of victims as other ransomware gangs, BlackCat has been allegedly responsible for some of the most devastating ransomware attacks of the last several months.
As more groups like REvil and Lapsus$ continue to be hurt by arrests, Radolec sees greater opportunities for BlackCat and other RaaS groups.
“[The arrests] are definitely showing an increase in enforcement, but from my perspective and in our prediction, that would actually lead to more ransomware as a service, because you have this kind of degree of separation between the actual crime as it would be committed in most jurisdictions,” Radolec said. “If you look at the U.S., there’s the Computer Fraud and Abuse Act, which is what specifically outlines that running the ransomware and running the attack tools on a non-authorized environment is the crime, whereas the actual development of malware isn’t so black and white in U.S. law.”
Radolec said BlackCat operators are likely to be less known than the cybercriminals behind other notorious ransomware groups. In addition, the RaaS operation gives the operators a “sustainable model” that puts distance between them and their affiliates.
“If they keep developing and implementing a toolkit, there’s a degree of separation from them and actually carrying out the attack, with the exception of the money laundering part,” he said.
The recent ransomware attacks by BlackCat have put the group on the radar of cybersecurity analysts like Cybereason and Kaspersky Lab, which have each released a report in recent weeks analyzing the group.
Early on in both reports, the researchers identify one of the key aspects of BlackCat that makes them unique from other ransomware groups and effective in deploying their malware.
While every ransomware group varies when it comes to the type of code they use, BlackCat uses the programming language Rust, which is used by few others.
According to Cybereason, “because of Rust’s emphasis on performance, the process of encryption is very fast, and in addition, Rust is cross-platform, which makes it easier to create variants for both Windows and Linux.”
Radolec also took note of the Rust language being used by BlackCat.
“The advantage of Rust is it compiling Windows and Linux binaries,” Radolec said. “If you were building software, there’s an advantage to you doing it because more people can use it. With ransomware-as-a-service gangs, I would predict the use of more Rust, more flexible code than something like Objective C or Visual Basic, which would be pure Microsoft ecosystem.”
Another similarity in the reports on BlackCat was that both Cybereason and Kaspersky pointed out the links between BlackCat and the BlackMatter ransomware gang. The BlackMatter group said on its website in November that it would be disbanding its operations, but researchers have found connections between the two groups.
While Cybereason pointed to BlackCat’s own confirmation of its relation to BlackMatter, Kaspersky found a unique connection between the two groups and their code. During its examination of the ransomware gang, the Kaspersky team found evidence of an exfiltration malware called Fendr.
According to Kaspersky’s report, this tool, which has been slightly modified by BlackCat, has only ever been found in BlackMatter ransomware.
While Cybereason did not discuss the Fendr code, its researchers did point out a connection they found between BlackCat and another ransomware gang.
Cybereason’s Nocturnus research team found many similarities between BlackCat’s code and infrastructure and that of LockBit. The report describes how each group uses the similar code.
“The profiler variants which are linked to LockBit use almost the same code as the BlackCat launcher, except for slight variations,” the Cybereason report said. “The only difference in functionality is that they do not attempt to download anything, they only collect profiling data, with the difference being that instead of collecting the machine’s ‘Windows UUID’, the profiler checks if LockBit is already installed on the machine.”
Kurt Baumgartner, Kaspersky’s principal security researcher, told SearchSecurity that groups like BlackCat and LockBit are going to have to continue to adapt their ransomware attack and monetization strategies going forward.
“These groups have been increasingly successful at monetizing their intrusions for the past few years, while law enforcement has been chipping away at the various participants — ‘underground’ exchange forums and access brokers, malware developers and ransomware operators,” Baumgartner said. “It seems at some point, payment schemes will be redeveloped in the next couple of years.”