Skip to Content

BlackCat Ransomware Evolve

By: Author Alex Lim

Posted on Last updated:

Home > BlackCat Ransomware Evolve

Updated on 2023-01-02

The BlackCat ransomware gang (ALPHV) came up with the new tactic of creating a replica of the victim’s site and publishing stolen data on it. The cloned site is on the clear web.

BlackCat ransomware impersonates victim site to leak stolen data.

Updated on 2022-12-16

OALABS researchers have published tips and IOCs that can be used to detect threat actors that employ the Brute Ratel pen-testing framework. Read more: A Customized Command and Control Center for Red Team and Adversary Simulation

Updated on 2022-11-28: Brute Ratel

A Chinese malware researcher going by the name of Panda Zhengzheng has published a breakdown of Brute Ratel C4, a pen-testing tool that has recently been abused by various threat actors. Together with Metasploit, Cobalt Strike, Empire, and Sliver, Zhengzheng says these five red team utilities are also known as Five Tigers in the Chinese cybersecurity ecosystem. Read more: Brute Ratel C4 Badger分析实战与检测

Updated on 2022-10-28: AlphV/BlackCat

Trend Micro has a pretty good profile on the AlphV/BlackCat ransomware operation. Read more: Ransomware Spotlight: BlackCat

Updated on 2022-10-03

The BlackCat ransomware gang added NJVC, an IT firm that also works with the federal government and the U.S. Department of Defense, to its list. The name was later removed from the leak site of the threat actors. Read more: BlackCat ransomware gang claims to have hacked US defense contractor NJVC

Updated on 2022-09-29: Brute Ratel leak

Security researcher William Thomas said that cracked versions of the Brute Ratel red-team framework have been leaked and are widely shared on underground hacking forums. The leak occurred after an unknown entity uploaded the Brute Ratel tool on VirusTotal earlier this month, which eventually allowed threat actors to get hold of it and crack its installer. Brute Ratel’s author blamed security firm MDSec for the leak, but the tool was already being used in attacks since July already, in ALPHV/BlackCat ransomware attacks. In the meantime, defenders might want to get acquainted with detecting Brute Ratel beacons before it’s too late.

Read more in

Updated on 2022-09-29

A cracked version of post-exploitation toolkit Brute Ratel is being shared for free across English- and Russian-speaking hacking forums. Read more: Hackers now sharing cracked Brute Ratel post-exploitation kit online

Palo Alto Networks said it identified a suspected APT29 campaign that abused Brute Ratel, an adversary emulation framework developed by a former Crowdstrike and Mandiant security engineer. The Brute Ratel author said they took actions against the licenses abused in these attacks, which they claim were sold on the black market.

Updated on 2022-09-23: More on ExMatter

And if you didn’t like that report on ExMatter, here’s one from Stairwell instead. As Lucian Constantin points out in his CSO coverage, ExMatter might be a game changer since it allows BlackCat operators to exfiltrate files, corrupt them on the victim’s network, and then demand a ransom to return them—a process that’s much faster than encrypting and decrypting them.

Read more in

The BlackCat ransomware gang is now attacking targets with an upgraded version of its data exfiltration tool, named Exmatter, adding more stealth to its operation. Read more: BlackCat ransomware’s data exfiltration tool gets an upgrade

European Energy Company Encevo Discloses Cyberattack

Luxembourg-based energy provider Encevo has acknowledged that some of its subsidiaries were targeted in a cyberattack. Encevo says that the attackers exfiltrated data and rendered data inaccessible. Customers are advised to reset account credentials.

Note

  • Indicators point to this as the BlackCat ransomware and that they threatened to post 180,000 files (about 150GB), adding extortion to their ransomware plans. Encevo is still working to determine the scope of the attack and plan their recovery. While customers are advised to reset their credentials, I would hold off until they are certain the malware is contained/eradicated. If you happen to have used the same credentials with Encevo and ANY OTHER service, change those non-Encevo passwords immediately, enabling MFA if offered.

Read more in

AlphV evolves

The operators of the AlphV (BlackCat) ransomware have launched a dedicated section on their leak site that allows anyone to search through all the data they stole and leaked from past victims. More in this Resecurity report.

AlphV evolves

The BlackCat ransomware group becomes one of the most widely spread families

Threat actors are continually spreading the BlackCat ransomware group, raising it up the ranks of the most-used ransomware-as-a-service groups. Security researchers have seen different threat groups deploy BlackCat, sometimes after using Mimikatz as the initial infection vector and a credential dumper. Microsoft recently found that two of the most prolific ransomware groups recently switched away from other families like Conti in favor of BlackCat. BlackCat’s been spotted being deployed in regions across the globe, including Africa, North America, South America, Asia and Europe. Microsoft also warned that attackers most often target unpatched Microsoft Exchange Server instances with widely known vulnerabilities. Read more: PROLIFIC RANSOMWARE AFFILIATE GROUPS DEPLOY BLACKCAT By Lindsey O’Donnell-Welch

BlackCat ransomware

Microsoft has published a report on the recent operations of the BlackCat/ALPHV ransomware-as-a-service (RaaS) operation. Microsoft said BlackCat’s for-rent ransomware had been adopted by several of the major underground cybercrime gangs such as DEV-0237 (aka FIN12) and DEV-0504 (a prolific ransomware affiliate on many other RaaS programs).

Also, BlackCat

In addition, there is a new report that the BlackCat group is now using clear web websites using domains personalized to fit their victims as a way to threaten and leak data from some of their targets.

FBI: Black Cat Ransomware IoCs

The FBI has published a TLP: White Flash alert that includes indicators of compromise (IoCs) for Black Cat, also known as ALPHV, ransomware-as-a-service. Black Cat is the first known ransomware to be written in Rust. The ransomware’s operators appear to be focusing on industrial organizations. In addition to the IoCs, the Flash alert includes technical details and recommended mitigations. In addition, “the FBI is seeking any information that can be shared, to include IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.”

Note

  • The FBI wants to hear from you if you’re seeing this activity. Make sure that you know your local FBI office and who to contact with. Build that relationship now before you need their help.
  • Early detection is essential if the IoCs are to be useful. Given hours, the compromise ransomware will announce itself.

Read more in

Oil Companies Impacted by Cyberattack

Seaports in Germany, Belgium, and the Netherlands have reported IT disruptions following what appears to be a cyberattack. Authorities are investigating the incident, which affects SEA-Tank, Oiltanking, and Evos terminals. Germany’s Federal Office for Information Security (BSI) says the BlackCat ransomware group may be responsible for the attack.

Note

  • I am reminded that one of the root causes for the Colonial Pipeline breach was a VPN user reverting to a discoverable non-unique password. Is your scenario when your MFA tokens are lost/stolen/broken subject to similar risks? The actions taken by the German companies include invoking the “force majeure” clause in their contracts to free them from liabilities arising from the interruptions of services to customers. This is because with the level of automation involved, manual operation is not practical except on a very limited scale. Consider the scale of operations in a similar attack on your business and verify you have sufficient contract language or other agreements with your customers to manage side-effects of radically impacted service delivery.
  • Analysts are claiming BlackCat is a rebrand of BlackMatter which was a rebrand of DarkSide (that ransomed and extorted Colonial Pipeline). Attribution matters and I am looking forward to more details on these attacks.

Read more in

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.