BlackCat (aka ALPHV, AlphaVM) is a newly established RaaS (Ransomware as a Service) with payloads written in Rust. Due to the use of Rust, BlackCat ransomware is cross-platform and achieves faster encryption speed than some other Ransomware. An actor working with ALPHV has given information in an online interview[1] earlier this year that the team consists of previous affiliates from BlackMatter/Darkside, gandrevil (GandCrab/REvil) and mazegreggor (Maze/Egregor). Blackcat ransomware also has victim-shaming tor site http[:]//alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad[.]onion. The site has more than 60 victims published now. Victims are currently mostly distributed through Europe and the US. What is unique about BlackCat is that as well as the extortion and ransomware aspects of their attacks, victims that fail to pay the required ransom are also threatened with DDoS until ransom is paid.
Figure 1. BlackCat victim-shaming site.
FortiEDR provides detection and mitigation coverage for all currently known BlackCat variants and behavioral detections to protect endpoints from future iterations of this malware variant. This article will analyze FortiEDR detection and mitigation coverage for this malware variant and its post-execution behavior.
The BlackCat samples require an 'access token' as a parameter for execution. This access_token serves as a password for the execution of a particular sample, likely as a mechanism to hamper analysis and reversing efforts by the cybersecurity industry. There is mention of access_token in the interview referenced above where actor mentioned that as affiliates of DarkSide, one had suffered from the interception of victims for subsequent decryption by Emsisoft. Despite these protections, some of the earlier samples can be executed with an arbitrary string as an access token allowing for behavioral analysis.
The analyzed sample has in-built help which can be seen via the -h or --help parameter. By default, on execution the ransomware collects IP addresses from the ARP table on the target endpoint then tries to connect to the NetBIOS service on port 137 to these IP addresses, most likely for propagation to spread laterally in the local network of the victim.
Figure 2. BlackCat ransomware command-line options.
There is also a ‘--ui’ option which information about current execution including : existing encryption worker threads, queue of files being processed, overall filesystem encryption progress through a progress bar and the speed at which files are being processed. Figure 3 below shows an example of this UI as it is used to encrypt a test system.
Figure 3. BlackCat ransomware UI interface.
As the Ransomware executes, it spawns multiple threads, one thread to discover all files and another to encrypt the listed files, the status of these threads can be observed through the UI as shown in Figure 3 above.
Attempts to execute the sample triggered the ‘Malicious File Detected’ event in the Execution Policy. This rule is triggered when Fortinet Cloud Services (FCS) identifies a file as malicious based on machine learning, online sandboxing (including integration with FortiSandbox) and integration with FortiGuard threat intelligence. An example of this event is shown below in Figure 4.
Figure 4. Malicious File Detection event related to detection of the analyzed BlackCat sample.
A service access event was triggered by the FortiEDR when the BlackCat ransomware sample tried to access the Windows Management Interface command-line utility (WMIC) for getting the UUID of the victim system. The UUID of the system is used to create an access_token to access the onion site. The URL in the ransom note is generated using access_token.
Figure 5. WMI Service Access rule is triggered when malware uses WMIC to access endpoint information.
A File Service Access event was triggered by the FortiEDR when the BlackCat ransomware sample tried to delete the shadow copies using the Volume Shadow Copy Service (VSS) administrative utility. The related event is shown below in Figure 6; note the sample -> cmd.exe. -> vssadmin.exe -> VSSVC.exe process chain. This is very common functionality performed by numerous ransomware variants as it prevents end-users from restoring data from volume shadow copies following encryption.
Figure 6. File Service Access rule is triggered as the BlackCat sample attempts to access the shadow copy service.
Using the Threat Hunting feature in FortiEDR, users can search for events showing the ransomware’s attempt to delete shadow copy through wmic by issuing the query below.
Type: ("Process Creation") AND Target.Process.Name: ("cmd.exe") AND Target.Process.CommandLine: ("\/c \"wmic.exe Shadowcopy Delete\"")
Figure 7. Process Creation events related to attempts to delete volume shadow copies using WMIC.
Most samples of BlackCat ransomware are seen using a randomized alphanumeric string with length seven as an extension of an encrypted file, with the string changing between observed variants. The BlackCat sample tested in the creation of this article adds the randomized string ‘.mfqssdj’ to the encrypted file’s filename. An example file name is ‘checkpoints-Scalar.pm.mfqssdj’. FortiEDR flags the encryption of targeted files with the 'File Encryptor – Suspicious file modification' rule, which forms part of the default ‘Ransomware Prevention’ security policy. This detection can be seen in Figure 7 below; notice that an event was created for the encryption of each file (a total of 47791 encrypted files).
Figure 8. File encryption activity from the BlackCat sample flags both the ‘Malicious File Detected’ and ‘File Encryptor’ rules from the Ransomware Protection policy and the ‘Malicious File Detected’ rule in the Exfiltration Prevention Policy.
Using the Threat Hunting feature in FortiEDR, users can search for events that show the ransomware’s ransom note wallpaper change by using the query below:
Type:"Value Set" AND Registry.Data:*RECOVER-*-FILES.txt.png
BlackCat ransomware drops ransom notes (as text files) in all folders containing an encrypted file. The Ransom note has information about encrypted files on the network and includes the previously generated file extension as part of its filename. In case of the current sample, the extension value is 'mfqssdj' so the resulting ransom note file name is 'RECOVER-mfqssdj-FILES.txt'. A screenshot of the ransom note is shown below in Figure 9.
Figure 9. BlackCat ransomware note.
Using the Threat Hunting feature in FortiEDR, users can search for events that show the ransomware’s ransom note creation by using the query below:
Type:"File Create" AND Target.File.Name:RECOVER-???????-FILES.txt
FortiEDR detects the registry change performed by the BlackCat sample as it sets the desktop wallpaper to display another form of ransomware note. The sample modifies the registry so the image in Figure 10 below will be displayed as a tiled background.
Figure 10. A ’ransom note style' image is set as the background on a compromised endpoint
FortiEDR detects this change as a 'Modify OS Settings' event as shown in Figure 10 below:
Figure 10. Modify OS Settings event is triggered when the BlackCat sample attempts to modify the registry related to the desktop background to display the ransomware note.
The malware uses the wmic and vssadmin Windows utilities to make sure the shadow copies of volume are deleted. Threat Hunting queries for events related to the use of both of these utilities are provided below.
Identify shadow copy deletion using the Windows Management Instrumentation (WMI) console i.e. wmic command:
Type: ("Process Creation") AND Target.Process.Name: ("cmd.exe") AND Target.Process.CommandLine: ("\/c \"wmic.exe Shadowcopy Delete\"")
Identify process creation events related to the deletion of shadow copies using windows utility vssadmin.exe. VSSADMIN.exe is typically used to list/resize/delete volumes:
Type: ("Process Creation") AND Target.Process.Name: ("cmd.exe") AND Target.Process.CommandLine: ("vssadmin.exe Delete Shadows \/all \/quiet")
Identify File Creation events for creation of BlackCat ransom note file:
Type:"File Create" AND Target.File.Name:RECOVER-???????-FILES.txt
Identify registry modification events associated with changing the desktop background to the ransomnote:
Type:"Value Set" AND Registry.Data:RECOVER-???????-FILES.txt.png
Technique ID |
Technique Description |
Observed Activity |
T1059.001 |
Command and Scripting Interpreter: cmd.exe |
BlackCat ransomware uses cmd.exe commands to delete the volume shadow copies. |
Technique ID |
Technique Description |
Observed Activity |
T1047 |
Windows Management Instrumentation |
BlackCat ransomware uses the command “wmic.exe Shadowcopy Delete” to access the WMI service to identify and delete volume shadow copies. |
Technique ID |
Technique Description |
Observed Activity |
T1083 |
File and Directory Discovery |
BlackCat ransomware searches directories and files inside for encryption. |
Technique ID |
Technique Description |
Observed Activity |
T1018 |
Remote System Discovery |
BlackCat ransomware searches for the network IP addresses by checking ARP table entries. |
Technique ID |
Technique Description |
Observed Activity |
T1210 |
Exploitation of Remote Services |
BlackCat ransomware tries to connect to other connected endpoints identified through scraping ARP table entries on compromised endpoints through NetBios services on port 137. |
Technique ID |
Technique Description |
Observed Activity |
T1112 |
Modify Registry |
BlackCat ransomware modifies registry values of “control panel\desktop” to display ransom notes after reboot. |
Technique ID |
Technique Description |
Observed Activity |
T1562.001 |
Impair Defenses: Disable or Modify Tools |
BlackCat ransomware terminates processes on affected endpoints before starting the encryption process. Here is list of processes/services which are killed by the malware: "mepocs", "memtas", "veeam", "svc$", "backup", "sql", "vss", "msexchange", "sql$", "mysql", "mysql$", "sophos", "MSExchange", "MSExchange$", "WSBExchange", "PDVFSService", "BackupExecVSSProvider", "BackupExecAgentAccelerator", "BackupExecAgentBrowser", "BackupExecDiveciMediaService", "BackupExecJobEngine", "BackupExecManagementService", "BackupExecRPCService", "GxBlr", "GxVss", "GxClMgrS", "GxCVD", "GxCIMgr", "GXMMM", "GxVssHWProv", "GxFWD", "SAPService", "SAP", "SAP$", "SAPD$", "SAPHostControl", "SAPHostExec", "QBCFMonitorService", "QBDBMgrN", "QBIDPService", "AcronisAgent", "VeeamNFSSvc", "VeeamDeploymentService", "VeeamTransportSvc", "MVArmor", "MVarmor64", "VSNAPVSS", "AcrSch2Svc" |
Technique ID |
Technique Description |
Observed Activity |
T1486 |
Data Encrypted for Impact |
BlackCat ransomware encrypts files in the infected system. |
Technique ID |
Technique Description |
Observed Activity |
T1490 |
Inhibit System Recovery |
BlackCat ransomware tries to delete the shadow copies by executing the “wmic.exe Shadowcopy Delete” command and the vssadmin command through cmd.exe. |
Technique ID |
Technique Description |
Observed Activity |
T1489 |
Service Stop |
BlackCat ransomware disables services to allow the encryption process to more effectively encrypt key files on affected endpoints. List of processes/services killed by malware: "mepocs", "memtas", "veeam", "svc$", "backup", "sql", "vss", "msexchange", "sql$", "mysql", "mysql$", "sophos", "MSExchange", "MSExchange$", "WSBExchange", "PDVFSService", "BackupExecVSSProvider", "BackupExecAgentAccelerator", "BackupExecAgentBrowser", "BackupExecDiveciMediaService", "BackupExecJobEngine", "BackupExecManagementService", "BackupExecRPCService", "GxBlr", "GxVss", "GxClMgrS", "GxCVD", "GxCIMgr", "GXMMM", "GxVssHWProv", "GxFWD", "SAPService", "SAP", "SAP$", "SAPD$", "SAPHostControl", "SAPHostExec", "QBCFMonitorService", "QBDBMgrN", "QBIDPService", "AcronisAgent", "VeeamNFSSvc", "VeeamDeploymentService", "VeeamTransportSvc", "MVArmor", "MVarmor64", "VSNAPVSS", "AcrSch2Svc" |
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
BlackCat binary |
8c70191b12f14eed594388c8fbe05efe6ebaa564 |
SHA1 Hash |
Impact |
BlackCat ransomware vhash: 0360976d15655c0d5d1d01az32603031z37z13z15zf7z tlsh:T10CE5AF95FB43E2ADED6B18B0305EB33ADE34481C00199FA3DBE45D71B92EB115E4861E |
BlackCat binary |
c1187fe0eaddee995773d6c66bcb558536e9b62c |
SHA1 Hash |
Impact |
BlackCat ransomware vhash: 0360876d15655c0d5d1d119z792703031z37z13z15zf7z tlsh:T10DE5AF4EF99392EACD571A70389EB33AD6304918011D9EA3E7FC5E24BE3E71059C861D |
[1] https://therecord.media/an-alphv-blackcat-representative-discusses-the-groups-plans-for-a-ransomware...
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.