ALPHV BlackCat, a New Ransomware
The Ransomware Operation Comes with a Highly-Customizable Feature Set that Allows Attackers to Target a Wide a Large Number of Corporate Environments.
The new ransomware operation, which debuted last month, has the potential to be the most sophisticated ransomware of the year, with a highly adjustable feature set that allows for assaults on a wide range of corporate setups.
The ransomware executable is written in Rust, a programming language that, while not often used by malware creators, is gaining popularity because to its high efficiency and memory safety.
The researchers at MalwareHunterTeam were the ones that found the new ransomware named ALPHV that is being promoted on Russian-speaking hacking forums.
There is a very interesting new Rust coded ransomware (first ITW?), BlackCat.
Another one used to encrypt companies’ networks.
Already seen some victims from different countries, from the second half of past November.
Also look at that UI. Back to ’80s?
😂@demonslay335 @VK_Intel pic.twitter.com/YttzWWUD3c
— MalwareHunterTeam (@malwrhunterteam) December 8, 2021
Ransomware-as-a-Service is an illicit ‘parent-affiliate(s)’ business infrastructure, in which operators (i.e., malicious software owner and/or developer) provision tools to affiliates (i.e., customers) for the purpose of carrying out ransomware attacks.
ALPHV BlackCat Ransomware Features
The ALPHV BlackCat malware has a number of innovative characteristics that distinguish it from other ransomware operations.
The ransomware is completely command-line driven, human-operated, and extremely programmable, with the ability to employ various encryption techniques, propagate across systems, terminate virtual machines and ESXi VMs, and automatically erase ESXi snapshots to prevent recovery.
Each ALPHV ransomware executable contains a JSON configuration file that enables for the customization of extensions, ransom notes, how data will be encrypted, prohibited folders/files/extensions, and the services and processes that will be automatically terminated.
According to the threat actor’s “recruitment” post on a dark web hacker site, the ransomware may be modified to employ four distinct encryption mechanisms.
ALPHV BlackCat may also be programmed to exploit domain credentials to distribute the ransomware and encrypt additional network devices. The executable will then extract PSExec to the% Temp% folder and utilize it to transfer the ransomware to additional network devices before executing it to encrypt the remote Windows PC.
When starting the ransomware, the affiliate can utilize a console-based user interface to track the attack’s progress. ALPHV BlackCat also employs the Windows Restart Manager API to terminate processes or shut down Windows services while keeping a file open for encryption.
When encrypting a device, ransomware will often utilize a random name extension, which is applied to all files and included in the ransom message. The ransom messages are pre-configured by the affiliate carrying out the operation and are unique to each victim. Some ransom notes include information about the categories of data stolen as well as a link to a Tor data leak site where victims may examine stolen material.
Each victim also has a distinct Tor site and, in some cases, a distinct data leak site, allowing the affiliate to conduct their own negotiations. Finally, BlackCat promises to be cross-platform, supporting a variety of operating systems.
How Can Heimdal™ Help?
In the fight against ransomware, Heimdal™ Security is offering its customers an outstanding integrated cybersecurity suite including the Ransomware Encryption Protection module, that is universally compatible with any antivirus solution, and is 100% signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).