FortiGuard Labs is aware of a spate of recent BlackCat ransomware attacks targeting numerous entities in the past few weeks. This threat signal, along with our previous Threat Signals [1,2] on BlackCat is intended to provide some perspective on this group and its Ransomware as a Service model, along with known techniques, tactics and procedures (TTPs), as well as including available protections from FortiGuard Labs on known samples.What is BlackCat?BlackCat also known AlphaV, is one of the more popular Ransomware variants of 2023 – only following behind LockBit, which holds the top spot. This is a ransomware-as-a-service (RaaS) operation that targets both Windows and Linux platforms. BlackCat is believed to be a rehash of DarkMatter, which attacked Colonial Pipeline in 2021 in a highly publicized attack. Besides encrypting files for ransom, the group will exfiltrate and use blackmail techniques; including the disclosure of sensitive and personally identifiable information (PII) to create additional pressure on the victim for payment. In addition to the damage already done by an affiliate, BlackCat (affiliates) have been observed using triple extortion tactics. Triple extortion differs from double extortion in that it adds another component of stress; versus the typical encryption of files and threats to publish stolen data to the Internet. The threat actors (affiliates) will pressure victims by using various techniques (such as but not limited to – DDoS, contacting the victim’s business associates, etc.) to further pressure payment. What Sectors Are Targeted?From our FortiRecon service, we can see that Manufacturing (8%) tops the list of targets of BlackCat/AlphaV. Followed by a close second and third are Business Services (7%) and Law Firms & Legal Services (5%) respectively. What Countries Are Being Targeted?From our FortiRecon service, we can see that the United States (37%) tops the list of targets of BlackCat/AlphaV. Followed by a distant second and third is Canada (7%) and Australia (3%). The United States (including Canada and Australia) topping the list is unsurprising, given that various reports from other cybersecurity vendors have shown the same targeted regions: What Language is BlackCat Written in?Rust.When did BlackCat First Appear?It was first seen in November of 2021.Why is BlackCat Successful?It has a high payout and a customizable set of features for its affiliates. It uses a “wall of shame” website to blackmail and promote its attacks.BlackCat is also popular because various reports have stated that the group will pay affiliates at least 80-90 percent of profits of the ransomware payout.What is the RaaS model?The Ransomware as a Service (RaaS) model consists of the ransomware developer and affiliate. Affiliates are typically recruited and are typical hired professionals in the cybercrime space. They have been recruited to perform various steps to successfully compromise and gain access to a targeted network to ultimately deploy the ransomware. They will work with the ransomware developer to secure payment (the developer will provide the decryption key after payment is met) and ultimately, the affiliate will receive a significant portion of the ransom (anywhere from 70-90 percent). This is a symbiotic relationship; as it allows both parties that may not be proficient in development (Affiliate) along with knowledge of brute forcing, pen testing, exploitation of vulnerabilities, lateral movement, etc. (Ransomware Developer). Another key factor to this relationship is that the developer can focus on improving the ransomware; while the hired affiliate can do the hard dirty work. We have seen this in GandCrab in the past, where various improvements and evasion of AV and other security products were implemented in various releases. RaaS services have all the attributes of a well run enterprise that rivals many organizations, but obviously an illegal one.Any Suggested Mitigation?To ensure the security of your organization, along with preventing unauthorized access by a threat actor, there are several best practices recommended by FortiGuard Labs. Start by regularly reviewing domain controllers, servers, workstations, and active directories for new accounts. Back up all data frequently and keep backup copies offline. Check Task Scheduler for unrecognized tasks and random processes, including all logs for unexpected shutdowns. Implement network segmentation and determine steps for a recovery plan if not already available. It is suggested to install updates and patches as soon as they become available. Use multifactor authentication and change passwords regularly. Disable unused remote access ports and monitor logs for potential malicious activity. It is suggested that a routine audit of user accounts occurs on a frequent basis. It is also suggested to audit user accounts with administrative privileges. Finally, it is suggested to keep all antivirus and anti-malware software updated in a timely manner.What is the Status of Coverage?FortiGuard Labs FortiEDR solution has a comprehensive knowledge base article that highlights detection and mitigation coverage for BlackCat/AlphaV along with post-execution behavior. Please refer to Threat Coverage: How FortiEDR protects against BlackCat (ALPHV) ransomware for further details.FortiGuard Labs has the following (AV) signatures in place for associated BlackCat Ransomware samples as:ELF/Encoder.46B8!tr.ransomELF/Encoder.5BD0!tr.ransomLinux/Filecoder_BlackCat.A!trLinux/Filecoder_BlackCat.G!trLinux/Filecoder_BlackCat.K!trPossibleThreatPowerShell/Agent.GU!trW32/Agent.1164!trW32/BlackCat.26B0!trW32/BlackCat.A!tr.ransomW32/BlackCat.BF43!tr.ransomW32/Expiro.NDGW32/Filecoder.5F85!tr.ransomW32/Filecoder.A!tr.ransomW32/Filecoder.OMZ!tr.ransomW32/Filecoder_BlackCat.A!tr.ransomW32/GenericKD.47303031!trW32/GenKryptik.CNLN!trW32/Nitol.AB!trW32/PossibleThreatW32/Ransom.BLACKCAT!trW64/Filecoder.GG!trMITRE ATT&CKTA0002 – ExecutionTechnique ID Technique Description Observed ActivityT1059.001 Command and Scripting Interpreter: cmd.exe BlackCat ransomware uses cmd.exe commands to delete the volume shadow copies. Technique ID Technique Description Observed ActivityT1047 Windows Management Instrumentation BlackCat ransomware uses the command “wmic.exe Shadowcopy Delete” to access the WMI service to identify and delete volume shadow copies. TA0007 – DiscoveryTechnique ID Technique Description Observed ActivityT1083 File and Directory Discovery BlackCat ransomware searches directories and files inside for encryption. Technique ID Technique Description Observed ActivityT1018 Remote System Discovery BlackCat ransomware searches for the network IP addresses by checking ARP table entries. TA0008 – Lateral MovementTechnique ID Technique Description Observed ActivityT1210 Exploitation of Remote Services BlackCat ransomware tries to connect to other connected endpoints identified through scraping ARP table entries on compromised endpoints through NetBios services on port 137. TA0005 – Defense EvasionTechnique ID Technique Description Observed ActivityT1112 Modify Registry BlackCat ransomware modifies registry values of “control paneldesktop” to display ransom notes after reboot. Technique ID Technique Description Observed ActivityT1562.001 Impair Defenses: Disable or Modify Tools BlackCat ransomware terminates processes on affected endpoints before starting the encryption process.Here is list of processes/services which are killed by the malware: “mepocs”, “memtas”, “veeam”, “svc$”, “backup”, “sql”, “vss”, “msexchange”, “sql$”, “mysql”, “mysql$”, “sophos”, “MSExchange”, “MSExchange$”, “WSBExchange”, “PDVFSService”, “BackupExecVSSProvider”, “BackupExecAgentAccelerator”, “BackupExecAgentBrowser”, “BackupExecDiveciMediaService”, “BackupExecJobEngine”, “BackupExecManagementService”, “BackupExecRPCService”, “GxBlr”, “GxVss”, “GxClMgrS”, “GxCVD”, “GxCIMgr”, “GXMMM”, “GxVssHWProv”, “GxFWD”, “SAPService”, “SAP”, “SAP$”, “SAPD$”, “SAPHostControl”, “SAPHostExec”, “QBCFMonitorService”, “QBDBMgrN”, “QBIDPService”, “AcronisAgent”, “VeeamNFSSvc”, “VeeamDeploymentService”, “VeeamTransportSvc”, “MVArmor”, “MVarmor64”, “VSNAPVSS”, “AcrSch2Svc” TA0040 – ImpactTechnique ID Technique Description Observed ActivityT1486 Data Encrypted for Impact BlackCat ransomware encrypts files in the infected system. Technique ID Technique Description Observed ActivityT1490 Inhibit System Recovery BlackCat ransomware tries to delete the shadow copies by executing the “wmic.exe Shadowcopy Delete” command and the vssadmin command through cmd.exe. Technique ID Technique Description Observed ActivityT1489 Service Stop BlackCat ransomware disables services to allow the encryption process to more effectively encrypt key files on affected endpoints.List of processes/services killed by malware:”mepocs”, “memtas”, “veeam”, “svc$”, “backup”, “sql”, “vss”, “msexchange”, “sql$”, “mysql”, “mysql$”, “sophos”, “MSExchange”, “MSExchange$”, “WSBExchange”, “PDVFSService”, “BackupExecVSSProvider”, “BackupExecAgentAccelerator”, “BackupExecAgentBrowser”, “BackupExecDiveciMediaService”, “BackupExecJobEngine”, “BackupExecManagementService”, “BackupExecRPCService”, “GxBlr”, “GxVss”, “GxClMgrS”, “GxCVD”, “GxCIMgr”, “GXMMM”, “GxVssHWProv”, “GxFWD”, “SAPService”, “SAP”, “SAP$”, “SAPD$”, “SAPHostControl”, “SAPHostExec”, “QBCFMonitorService”, “QBDBMgrN”, “QBIDPService”, “AcronisAgent”, “VeeamNFSSvc”, “VeeamDeploymentService”, “VeeamTransportSvc”, “MVArmor”, “MVarmor64”, “VSNAPVSS”, “AcrSch2Svc”
