Aggressive BlackCat Ransomware on the Rise

The cybercriminals behind the malware claim to have compromised more than a dozen companies; they have aggressively outed victims and purportedly paid a significant share of ransoms back to affiliates.

4 Min Read
Chart showing number of victims
The number of victims listed on leak blogs in December 2021.Source: Palo Alto Networks

BlackCat, the latest ransomware threat touted on underground forums, has quickly made inroads into the ransomware-as-a-service cybercriminal marketplace by offering 80% to 90% of ransoms to "affiliates" and aggressively outing victims on a name-and-shame blog.

In less than a month, the BlackCat group has purportedly compromised more than a dozen victims, named those victims on its blog, and broken into the top 10 threats as measured by victim count, according to recent analysis of the malware by researchers at Palo Alto Networks. The ransomware program seems well-designed and is written in Rust, an efficient programming language that has gained popularity over the past decade. 

Currently, five victims are in the United States, two in Germany, and one each in France, Netherlands, the Philippines, and Spain, with the final victim's location unknown.

The ransomware platform makes extensive use of configuration files to allow the operator to customize the attack to certain victims, determine what processes to shut down, and even use a customized list of credentials to move laterally within a company, says Doel Santos, a threat intelligence analyst with Palo Alto Networks' Unit 42 team.

"BlackCat ransomware includes numerous features that could be leveraged by the operator when executing the ransomware," he says. "All of these configurations can be customized by the threat actor to their liking making it highly customizable."

This is the latest example of how ransomware groups are adapting to companies' better defenses and law enforcement agencies' collaborative efforts to investigate and prosecute ransomware gangs. In September 2021, researchers from Trend Micro noted that ransomware groups had moved from so-called "double extortion" to adopt multiple extortion methods, including encrypting data, stealing data, using distributed denial-of-service (DDoS) attacks, and naming-and-shaming victims.

BlackCat—also known as ALPHV—adopts all of these techniques, researchers from Palo Alto Networks said in its analysis.

"In some cases, BlackCat operators use the chat to threaten the victim, claiming they will perform a DDoS attack on the victims' infrastructure if the ransom is not paid," the analysis stated. "When it appears in addition to the use of a leak site, this practice is known as triple extortion, a tactic that was observed being used by groups like Avaddon and Suncrypt in the past."

Coded in Rust

The software is written by one or more Russian developers using the Rust programming language, likely the first time a ransomware group has adopted the up-and-coming coding language. The efficiency of Rust's compiled code allows the malware to extensively use encryption and encode a large number of features while requiring little overhead, the analysis stated.

While BlackCat is the first ransomware encountered by Palo Alto Networks that uses Rust, other malware — such as the first-stage downloader, RustyBuer — was also developed last year using the programming language, the company said.

"Rust has been around for some time, [and is] not as popular as other programming languages, but it's gaining notoriety because it is fast and memory-efficient — two things that may be of interest to ransomware operators," Santos says.

The use of Rust allows the malware to run on both Windows and Linux systems and allows the developers to create individualized campaigns, Palo Alto Networks stated in its analysis.

Among other techniques, BlackCat also uses an access token to limit who can see the ongoing negotiation with the victim. Only participants with the access token can log on to the chat and hub for paying ransoms, an attempt to avoid third-party snooping, Santos says.

"Traditional ransomware samples are usually preconfigured and include links that get leaked and allows external entities access to negotiations and additional details that are meant to be seen only by the victim," he says.

Early Payment Discounts
The BlackCat group has requested ransom payments of as much as $14 million, with discounts for victims that pay before the deadline.

While BlackCat has taken off since November, the two largest ransomware groups, as measured by the number of monthly victims, continue to be Lockbit 2.0 and Conti.

The 2-year-old Conti ransomware continues to be successful, with the US Cybersecurity and Infrastructure Security Agency (CISA) warning in September of an increase in attacks using Conti. Security researchers warned in August that a rewritten version of the Lockbit ransomware program, dubbed Lockbit 2.0, had been released. The Lockbit group focused on an aggressive recruitment drive to gain affiliates to spread their malware, a strategy that BlackCat has obviously copied. The Lockbit group's leak site listed 50 victims in December 2021, while Conti has compromised 37 victims, according to Palo Alto Networks.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights