FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
mrobson
Staff
Staff
Article Id 207989

Introduction

 

BlackCat (aka  ALPHV, AlphaVM) is a newly established RaaS (Ransomware as a Service) with payloads written in Rust. Due to the use of Rust, BlackCat ransomware is cross-platform and achieves faster encryption speed than some other Ransomware. An actor working with ALPHV has given information in an online interview[1] earlier this year that the team consists of previous affiliates from BlackMatter/Darkside, gandrevil (GandCrab/REvil) and mazegreggor (Maze/Egregor). Blackcat ransomware also has victim-shaming tor site http[:]//alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad[.]onion. The site has more than 60 victims published now. Victims are currently mostly distributed through Europe and the US. What is unique about BlackCat is that as well as the extortion and ransomware aspects of their attacks, victims that fail to pay the required ransom are also threatened with DDoS until ransom is paid.

 

mrobson_0-1648695763178.png

 

Figure 1. BlackCat victim-shaming site.

 

FortiEDR provides detection and mitigation coverage for all currently known BlackCat variants and behavioral detections to protect endpoints from future iterations of this malware variant. This article will analyze FortiEDR detection and mitigation coverage for this malware variant and its post-execution behavior.

 

BlackCat Configuration Options

The BlackCat samples require an 'access token' as a parameter for execution. This access_token serves as a password for the execution of a particular sample, likely as a mechanism to hamper analysis and reversing efforts by the cybersecurity industry. There is mention of access_token in the interview referenced above where actor mentioned that as affiliates of DarkSide, one had suffered from the interception of victims for subsequent decryption by Emsisoft. Despite these protections, some of the earlier samples can be executed with an arbitrary string as an access token allowing for behavioral analysis.

 

The analyzed sample has in-built help which can be seen via the -h or --help parameter. By default, on execution the ransomware collects IP addresses from the ARP table on the target endpoint then tries to connect to the NetBIOS service on port 137 to these IP addresses, most likely for propagation to spread laterally in the local network of the victim.

 

mrobson_1-1648695763184.png

 

Figure 2. BlackCat ransomware command-line options.

 

There is also a ‘--ui’ option which information about current execution including : existing encryption worker threads, queue of files being processed, overall filesystem encryption progress through a  progress bar and the speed at which files are being processed. Figure 3 below shows an example of this UI as it is used to encrypt a test system.

 

mrobson_2-1648695763190.png

 

Figure 3. BlackCat ransomware UI interface.

 

Initial Execution

As the Ransomware executes, it spawns multiple threads, one thread to discover all files and another to encrypt the listed files, the status of these threads can be observed through the UI as shown in Figure 3 above.

 

Attempts to execute the sample triggered the ‘Malicious File Detected’ event in the Execution Policy. This rule is triggered when Fortinet Cloud Services (FCS) identifies a file as malicious based on machine learning, online sandboxing (including integration with FortiSandbox) and integration with FortiGuard threat intelligence. An example of this event is shown below in Figure 4.

 

mrobson_3-1648695763194.png

 

Figure 4. Malicious File Detection event related to detection of the analyzed BlackCat sample.

 

Service Access

A service access event was triggered by the FortiEDR when the BlackCat ransomware sample tried to access the Windows Management Interface command-line utility (WMIC) for getting the UUID of the victim system. The UUID of the system is used to create an access_token to access the onion site. The URL in the ransom note is generated using access_token.

 

mrobson_0-1648702100614.jpeg

 

Figure 5. WMI Service Access rule is triggered when malware uses WMIC to access endpoint information.

 

File Service Access

A File Service Access event was triggered by the FortiEDR when the BlackCat ransomware sample tried to delete the shadow copies using the Volume Shadow Copy Service (VSS) administrative utility. The related event is shown below in Figure 6; note the sample -> cmd.exe. -> vssadmin.exe -> VSSVC.exe process chain. This is very common functionality performed by numerous ransomware variants as it prevents end-users from restoring data from volume shadow copies following encryption.

 

mrobson_4-1648695763197.png

 

Figure 6. File Service Access rule is triggered as the BlackCat sample attempts to access the shadow copy service.

 

Using the Threat Hunting feature in FortiEDR, users can search for events showing the ransomware’s attempt to delete shadow copy through wmic by issuing the query below.

 

Type: ("Process Creation") AND Target.Process.Name: ("cmd.exe") AND Target.Process.CommandLine: ("\/c \"wmic.exe Shadowcopy Delete\"")

 

mrobson_5-1648695763202.png

 

Figure 7. Process Creation events related to attempts to delete volume shadow copies using WMIC.

 

File Creation Event

Most samples of BlackCat ransomware are seen using a randomized alphanumeric string with length seven as an extension of an encrypted file, with the string changing between observed variants. The BlackCat sample tested in the creation of this article adds the randomized string ‘.mfqssdj’ to the encrypted file’s filename.  An example file name is ‘checkpoints-Scalar.pm.mfqssdj’. FortiEDR flags the encryption of targeted files with the 'File Encryptor – Suspicious file modification' rule, which forms part of the default ‘Ransomware Prevention’ security policy. This detection can be seen in Figure 7 below; notice that an event was created for the encryption of each file (a total of 47791 encrypted files).

 

mrobson_6-1648695763206.png

 

Figure 8. File encryption activity from the BlackCat sample flags both the ‘Malicious File Detected’ and ‘File Encryptor’ rules from the Ransomware Protection policy and the ‘Malicious File Detected’ rule in the Exfiltration Prevention Policy.

 

Using the Threat Hunting feature in FortiEDR, users can search for events that show the ransomware’s ransom note wallpaper change by using the query below:

 

Type:"Value Set" AND Registry.Data:*RECOVER-*-FILES.txt.png

 

Ransom Note

BlackCat ransomware drops ransom notes (as text files) in all folders containing an encrypted file. The Ransom note has information about encrypted files on the network and includes the previously generated file extension as part of its filename. In case of the current sample, the extension value is 'mfqssdj' so the resulting ransom note file name is 'RECOVER-mfqssdj-FILES.txt'. A screenshot of the ransom note is shown below in Figure 9.

 

mrobson_7-1648695763208.png

 

Figure 9. BlackCat ransomware note.

 

Using the Threat Hunting feature in FortiEDR, users can search for events that show the ransomware’s ransom note creation by using the query below:

 

Type:"File Create" AND Target.File.Name:RECOVER-???????-FILES.txt

 

Modify OS Settings

FortiEDR detects the registry change performed by the BlackCat sample as it sets the desktop wallpaper to display another form of ransomware note. The sample modifies the registry so the image in Figure 10 below will be displayed as a tiled background.

 

mrobson_8-1648695763209.png

 

Figure 10. A ’ransom note style' image is set as the background on a compromised endpoint

FortiEDR detects this change as a 'Modify OS Settings' event as shown in Figure 10 below:

 

mrobson_9-1648695763213.png

 

Figure 10. Modify OS Settings event is triggered when the BlackCat sample attempts to modify the registry related to the desktop background to display the ransomware note.

 

Threat Hunting

The malware uses the wmic and vssadmin Windows utilities to make sure the shadow copies of volume are deleted. Threat Hunting queries for events related to the use of both of these utilities are provided below.

 

Identify shadow copy deletion using the Windows Management Instrumentation (WMI) console i.e. wmic command:

 

Type: ("Process Creation") AND Target.Process.Name: ("cmd.exe") AND Target.Process.CommandLine: ("\/c \"wmic.exe Shadowcopy Delete\"")

 

Identify process creation events related to the deletion of shadow copies using windows utility vssadmin.exe. VSSADMIN.exe is typically used to list/resize/delete volumes:

 

Type: ("Process Creation") AND Target.Process.Name: ("cmd.exe") AND Target.Process.CommandLine: ("vssadmin.exe Delete Shadows \/all \/quiet")

Identify File Creation events for creation of BlackCat ransom note file:

 

Type:"File Create" AND Target.File.Name:RECOVER-???????-FILES.txt

Identify registry modification events associated with changing the desktop background to the ransomnote:

 

Type:"Value Set" AND Registry.Data:RECOVER-???????-FILES.txt.png

 

MITRE ATT&CK

TA0002 - Execution

Technique ID

Technique Description

Observed Activity

T1059.001

Command and Scripting Interpreter: cmd.exe

BlackCat ransomware uses cmd.exe commands to delete the volume shadow copies.

 

Technique ID

Technique Description

Observed Activity

T1047

Windows Management Instrumentation

BlackCat ransomware uses the command “wmic.exe Shadowcopy Delete” to access the WMI service to identify and delete volume shadow copies.

 

TA0007 – Discovery

Technique ID

Technique Description

Observed Activity

T1083

File and Directory Discovery

BlackCat ransomware searches directories and files inside for encryption.

 

Technique ID

Technique Description

Observed Activity

T1018

Remote System Discovery

BlackCat ransomware searches for the network IP addresses by checking ARP table entries.

 

TA0008 – Lateral Movement

Technique ID

Technique Description

Observed Activity

T1210

Exploitation of Remote Services

BlackCat ransomware tries to connect to  other connected endpoints identified through scraping ARP table entries on compromised endpoints through NetBios services on port 137.

 

TA0005 - Defense Evasion

Technique ID

Technique Description

Observed Activity

T1112

Modify Registry

BlackCat ransomware modifies registry values of “control panel\desktop” to display ransom notes after reboot.

 

Technique ID

Technique Description

Observed Activity

T1562.001

Impair Defenses: Disable or Modify Tools

BlackCat ransomware terminates processes on affected endpoints before starting the encryption process.

Here is list of processes/services which are killed by the malware: "mepocs", "memtas", "veeam", "svc$", "backup", "sql", "vss", "msexchange", "sql$", "mysql", "mysql$", "sophos", "MSExchange", "MSExchange$", "WSBExchange", "PDVFSService", "BackupExecVSSProvider", "BackupExecAgentAccelerator", "BackupExecAgentBrowser", "BackupExecDiveciMediaService", "BackupExecJobEngine", "BackupExecManagementService", "BackupExecRPCService", "GxBlr", "GxVss", "GxClMgrS", "GxCVD", "GxCIMgr", "GXMMM", "GxVssHWProv", "GxFWD", "SAPService", "SAP", "SAP$", "SAPD$", "SAPHostControl", "SAPHostExec", "QBCFMonitorService", "QBDBMgrN", "QBIDPService", "AcronisAgent", "VeeamNFSSvc", "VeeamDeploymentService", "VeeamTransportSvc", "MVArmor", "MVarmor64", "VSNAPVSS", "AcrSch2Svc"

 

TA0040 - Impact

Technique ID

Technique Description

Observed Activity

T1486

Data Encrypted for Impact

BlackCat ransomware encrypts files in the infected system.

 

Technique ID

Technique Description

Observed Activity

T1490

Inhibit System Recovery

BlackCat ransomware tries to delete the shadow copies by executing the “wmic.exe Shadowcopy Delete” command and the vssadmin command through cmd.exe.

 

Technique ID

Technique Description

Observed Activity

T1489

Service Stop

BlackCat ransomware disables services to allow the encryption process to more effectively encrypt key files on affected endpoints.

List of processes/services killed by malware:

"mepocs", "memtas", "veeam", "svc$", "backup", "sql", "vss", "msexchange", "sql$", "mysql", "mysql$", "sophos", "MSExchange", "MSExchange$", "WSBExchange", "PDVFSService", "BackupExecVSSProvider", "BackupExecAgentAccelerator", "BackupExecAgentBrowser", "BackupExecDiveciMediaService", "BackupExecJobEngine", "BackupExecManagementService", "BackupExecRPCService", "GxBlr", "GxVss", "GxClMgrS", "GxCVD", "GxCIMgr", "GXMMM", "GxVssHWProv", "GxFWD", "SAPService", "SAP", "SAP$", "SAPD$", "SAPHostControl", "SAPHostExec", "QBCFMonitorService", "QBDBMgrN", "QBIDPService", "AcronisAgent", "VeeamNFSSvc", "VeeamDeploymentService", "VeeamTransportSvc", "MVArmor", "MVarmor64", "VSNAPVSS", "AcrSch2Svc"

 

IOCs

Indicator Description

Indicator

Indicator Type

Associated Tactic

Notes

BlackCat binary

8c70191b12f14eed594388c8fbe05efe6ebaa564

SHA1 Hash

Impact

BlackCat ransomware

vhash: 0360976d15655c0d5d1d01az32603031z37z13z15zf7z

tlsh:T10CE5AF95FB43E2ADED6B18B0305EB33ADE34481C00199FA3DBE45D71B92EB115E4861E

BlackCat binary

c1187fe0eaddee995773d6c66bcb558536e9b62c

SHA1 Hash

Impact

BlackCat ransomware

vhash: 0360876d15655c0d5d1d119z792703031z37z13z15zf7z

tlsh:T10DE5AF4EF99392EACD571A70389EB33AD6304918011D9EA3E7FC5E24BE3E71059C861D

 

[1] https://therecord.media/an-alphv-blackcat-representative-discusses-the-groups-plans-for-a-ransomware...

Contributors