BlackCat's latest ransomware version, called Sphynx, relies on updated capabilities for evading detection and analysis.
Since its debut in 2021, BlackCat has emerged as a top ransomware family, with affiliates using the ransomware to target organizations in the healthcare, government, education, manufacturing and hospitality sectors. Though the Sphynx version has been observed by researchers for a number of months now, researchers with IBM’s X-Force security team on Tuesday released a detailed analysis of the variant and said that Sphynx is one of the many ways that BlackCat attackers are improving their tools and operations.
“X-Force observed and analyzed a new version of BlackCat being deployed dubbed Sphynx,” said researchers with IBM X-Force in a Tuesday analysis. “This version was first announced in February 2023 and introduced a number of updated capabilities that strengthen the group’s efforts to evade detection.”
Unlike previous BlackCat ransomware variants, Sphynx developers have reworked the ransomware family’s command line arguments to include a more complex set of arguments and cut out the access-token parameter (used for executions) that previous variants relied on. Researchers said that this shakeup thwarts defenders that now do not have standard commands that they can use to sniff out the ransomware. The new variant’s configuration data is also made up of raw structures that include junk code and encrypted strings (rather than being JSON formatted), which makes analysis more difficult.
“An announcement by the BlackCat group suggests the motives for updating the ransomware, indicating that BlackCat ransomware ‘has been completely rewritten from scratch’ and that ‘The main priority of this update was to optimize detection by AV/EDR,’” said researchers.
Sphynx comes with an obfuscated loader that once executed decrypts thousands of strings and the payload. The ransomware variant conducts network discovery activities to search for additional systems, gets a list of and deletes shadow copies (using the WMI COM Object functions), encrypts files with AES or ChaCha20 ciphers and creates a ransom note, among other capabilities.
“Ransomware groups like BlackCat that are able to shift their tooling and tradecraft to make their operations faster and stealthier have a better chance of extending their lifespan."
Over the last six months, multiple intrusions by BlackCat affiliates showed continuous improvement of their tooling overall, said researchers. For one, researchers have seen a BlackCat ransomware affiliate known as DEV-0504 using a known custom tool called ExMatter, which allows attackers to automate the process of data exfiltration before deploying ransomware. This stolen data is used in double extortion attacks, where ransomware affiliates leak stolen data on their official leak site in addition to deploying ransomware, in an attempt to put additional pressure on the victims.
Additionally, BlackCat affiliates are continuing to abuse Microsoft’s Group Policy Objects, a collection of settings defining how a system will behave for a group of users. Attackers have been abusing this feature to deploy tools and impede security measures, said researchers.
“Attackers displaying a nuanced understanding of Microsoft Entra ID can abuse GPOs to great effect for swift mass malware deployment,” said researchers. “For example, threat actors may attempt to increase the speed of their operations by changing default Group Policy refresh times, likely to shorten the window of time between changes taking effect and defenders being able to respond.”
Researchers recommend that enterprises thoroughly monitor every administrative interface and use proper access controls to prevent the abuse of Group Policy Objects by attackers. Organizations should also use an allow list that will alert them when any anomalies are detected. This would block off the execution of malicious software and bar the use of ExMatter.
Previously, BlackCat attackers have added a number of tactics to speed up the encryption process and evade detection. These latest updates continue to make BlackCat a threat to businesses, and researchers said the group “shows no signs of winding down.”
“Ransomware groups like BlackCat that are able to shift their tooling and tradecraft to make their operations faster and stealthier have a better chance of extending their lifespan,” said researchers. “X-Force has observed BlackCat affiliates continue to hone their operations in order to increase the likelihood of successful impact, namely data theft and encryption.”