The FBI is warning U.S. organizations of the BlackCat ransomware-as-a-service, which it said has compromised at least 60 entities globally as of March. BlackCat (also known as ALPHV) first appeared in late November and has since then been attacking targets in multiple countries, including the U.S., Australia and India.
In a Wednesday Flash Alert, the FBI said it is seeking any further information on the ransomware, including IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, decryptor files or benign samples of encrypted files. The FBI said that BlackCat is the first ransomware group to successfully infect dozens of targets using Rust, which is a popular programming language that is considered to be more secure. The agency also pointed to a connection between BlackCat and the BlackMatter (a potential partial reincarnation of the DarkSide group) ransomware groups, which researchers have previously noted.
“BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount,” according to the FBI in the Flash Alert. “Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.”
Beyond this, BlackCat has many common ransomware tendencies, including leveraging previously compromised user credentials for initial access, compromising Microsoft Entra ID accounts upon access to the environment and deploying PowerShell scripts and Cobalt Strike as part of its attacks. The ransomware also leverages legitimate Windows administrative tools and Microsoft Sysinternals tools, as well as scripts like start.bat to launch the ransomware executable, est.bat to copy the ransomware to other locations and run.bar to execute a callout command to an external server using SSH.
According to researchers with Emsisoft, BlackCat “is one of a handful of ransomware groups” that also threatens to launch distributed denial-of-service (DDoS) attacks against victims that do not pay a ransom.
“The group frames DDoS as an exclusive feature of sorts, available only to affiliates who have generated more than $1.5 million in ransom payments,” said researchers with Emsisoft in a February analysis.
Researchers with SentinelLabs in a previous analysis of the ransomware said that BlackCat has “carved a notable place” amongst mid-tier ransomware actors, with its authors heavily marketing their services in well-known underground forums. BlackCat also joins a small - but growing - sliver of the malware landscape that leverages the Rust cross-platform language, said researchers.
“This group knows their craft and are cautious when selecting partners or affiliates,” said researchers with SentinelLabs in an analysis. “It is possible that some of the increased affiliation and activity around BlackCat is attributed to other actors migrating to BlackCat as larger platforms fizzle out (Ryuk, Conti, LockBit and REvil).”
Organizations can protect themselves by reviewing domain controllers and active directories for new or unrecognized user accounts, regularly backing up their data, reviewing the Task Scheduler for unrecognized tasks or implementing network segmentation.