This exploration will discuss Ransomware-as-a-Service (RaaS), which has affected many entities.
Ransomware Incidents
ALPHV, also known as BlackCat and Noberus, is a ransomware-as-a-service (RaaS) affiliate programme linked to cybercriminals primarily operating in Russian-speaking regions. The detection of this particular ransomware occurred in the latter part of 2021, and it shares a connection with prior ransomware iterations, namely BlackMatter and DarkSide. Since November 2021, the group has successfully targeted approximately 25 organisations across various sectors on a global scale. One example of a documented attack is the recent cyber attack on Swissport, which led to delays in aircraft operations and disruptions in service.
Last February, ALPHV/BlackCat ransomware attacked the Law Foundation of Silicon Valley, a pro bono law firm based in California. Personal information, such as Social Security numbers, of more than 42,000 people was compromised in the attack.
Ransomware Attack
The discovery of the BlackCat ransomware was initially brought to light by the esteemed security research collective, MalwareHunterTeam. On November 17, 2021, a comprehensive blog post was released, providing in-depth insights into this notorious ransomware's intricate functionalities and operational mechanisms.
BlackCat has emerged as a prominent player in the cybercrime landscape, operating as a ransomware-as-a-service (RaaS) operation. This illicit business model allows cybercriminals to leverage the sophisticated tools the BlackCat ransomware group provides. The illegal trade of encryption tools has gained traction as malicious actors seek to exploit unsuspecting victims. Upon acquisition of these tools, they are employed to encrypt files on targeted computers, empowering the perpetrators to demand a ransom in exchange for the coveted decryption key.
The BlackCat ransomware boasts a multitude of features that provide extensive functionality to its operators during execution. These configurations can be customized to suit the preferences of threat actors, resulting in a highly adaptable system.
In its relatively short existence, BlackCat has rapidly launched targeted assaults on various entities, including government agencies, commercial enterprises, and individuals. This notorious strain of ransomware has gained infamy for its exorbitant ransom demands, which have been observed to reach millions of dollars.
BlackCat, also known as ALPHV, operates using the Rust programming language. Rust, developed by Mozilla in 2010, offers superior performance and enhanced safety compared to languages like C++. Embracing a multi-paradigm approach, Rust has consistently been regarded as the top programming language by the Stack Overflow community for five consecutive years. In 2020, a new strain of malware called FickerStealer surfaced, explicitly designed to steal sensitive data. It is capable of pilfering credentials stored in Windows Credential Manager and those from popular web browsers, cryptocurrency wallets, FTP clients, and various chat and email clients. This reputation has likely contributed to the adoption of Rust by malware creators, who are now developing malicious software utilizing this programming language. Within the Deep and Dark web, Malware-as-a-service (MaaS) platforms constructed using Rust have emerged, with notable examples including RustyBuer and FickerStealer.
Buer, often called a "primary-stage downloader," can be obtained from illicit online marketplaces. Malicious actors utilize this malware to establish entry points into already compromised networks. These attack tools install additional malware during and after phishing campaigns. Unfortunately, a business user may unwittingly trigger the installation of a new version of Buer, written in Rust and commonly known as RustyBuer.
The BlackCat group has successfully attracted members from other RaaS groups, possibly owing to their highly attractive pay-out model, offering an impressive 90% return on investment. Furthermore, the customizable features of their tools enable even inexperienced individuals to execute complex attacks on large corporations. BlackCat has effectively developed a profitable and user-friendly RaaS tool, solidifying its position in the cybercrime landscape.
Adaptability and Resilience
In the ever-evolving landscape of cybersecurity, it is an undeniable reality that Ransomware groups are continuously adapting to the latest defensive measures. This constant evolution poses a significant challenge for law enforcement agencies, making it increasingly arduous to investigate and bring these criminal gangs to justice effectively.
In the ever-evolving landscape of cyber threats, ransomware groups continue demonstrating adaptability and resilience. These malicious actors constantly refine their tactics to maximise their impact and evade detection. Today, we will discuss how ransomware groups continuously evolve to ensure they stay ahead of the game.
- New attack vectors. Ransomware collectives perpetually seek novel methods to exploit susceptibilities in software and systems. Frequently, they focus on exploiting vulnerabilities concealed within commonly used information technology tools.1 Ransomware groups exploit several prominent vulnerabilities, including ProxyShell, ProxyLogon, Log4Shell, and PrintNightmare.2 The vulnerabilities mentioned above have been identified in products offered by prominent vendors, including Microsoft, Oracle, F5, VMWare, Atlassian, Apache, and SonicWall.3 Ransomware collectives can employ kill chains to exploit these vulnerabilities.3 Recently, the BlackCat ransomware group has been employing a new "Follina" exploit to target Microsoft Office users.
- Advanced methodologies. Ransomware groups employ advanced techniques to elude detection and impede law enforcement's endeavours to locate them. One effective technique is obfuscation, which entails concealing the internal mechanisms of the malware to shield it from scrutiny by security researchers, malware analysts, and reverse engineers.9 Obfuscation refers to the practice of ransomware to alter file data in diverse manners, rendering it dissimilar to the source code. This obfuscates the underlying intention of the file while still enabling its execution. After the obfuscated file has been executed on your system, the ransomware will unpack itself into the computer's memory.8 The objective of obfuscation is to enhance the anonymity of cyber attackers, mitigate the risk of detection, and conceal malware by altering the overall signature and fingerprint of malicious code, even when the payload is already recognised as a threat.8 Another technique can be employed is partial encryption, enabling attackers to encrypt files efficiently and flexibly while avoiding detection.8 Ransomware groups increasingly adopt a more specialised approach, delegating various functions and stages of a typical ransomware attack to expert partners. This strategic outsourcing enhances their ability to withstand law enforcement takedowns and presents more significant difficulties in tracking their activities.7 For instance, attackers might employ "living off the land" tactics that entail misusing authentic administrator tools and services to camouflage themselves within typical network activity.
- Rebranding and restructuring. Ransomware groups have the potential to undergo rebranding or restructuring of their operations as a means to elude law enforcement authorities. An instance of ransomware, known as UNC2190, has consistently engaged in rebranding efforts over the previous year. This strategic approach is employed to evade detection while carrying out cyberattacks on vital infrastructure within multiple industries.4 Another notable instance involves the collaboration between the ransomware group Hive and Conti. Hive has been assisting Conti in rebranding 5 and eluding international sanctions to curb extortion payments to cybercriminals operating within Russia. In 2021, the DarkSide ransomware group decided to cease its operations. However, several experts speculate that it has resurfaced under a new name, the Blackmatter ransomware group.
Cybercriminals behind ransomware are constantly adapting to bypass the latest cybersecurity defences. Keeping up with these criminal groups poses a significant challenge for law enforcement agencies responsible for their apprehension. Swift and decisive action is necessary to combat the danger of ransomware, leaving no room for hesitation or complacency. Agencies must employ various strategies and tactics to address this increasing threat effectively.
For instance, authorities :
- Must work together across borders to combat the global threat of ransomware.
- Must employ sophisticated technology to effectively monitor and apprehend individuals involved in ransomware activities, facilitating their subsequent prosecution.
- Must educate the public about ransomware so that individuals can take preventative measures to protect their data and valuables.
When law enforcement agencies collaborate, they can increase the level of difficulty for ransomware groups and eventually catch these criminals to face justice.
Reference For adaptability and resilience
- A security expert's guide to the top-exploited vulnerabilities.
- Journey into the Top 10 Vulnerabilities Used by Ransomware Groups.
- 76% of Vulnerabilities Currently Exploited by Ransomware Groups Were
- A List of Vulnerabilities Abused by Ransomware Groups Released by
- Ransomware attackers are finding new ways to weaponise old vulnerabilities
- Ransomware: More Families, More Vulnerabilities, More … - MSSP Alert.
- How ransomware is evolving to evade detection.
- New Royal ransomware group evades detection with partial encryption ….
- An Assessment of Obfuscated Ransomware Detection and Prevention Methods
- Ransomware Group Continually Rebrands to Slip Under Radar
- Ransomware – Krebs on Security
- Researchers Warn of 4 Emerging Ransomware Groups That Can Cause Havoc
- Ransomware Groups Able to Rebrand and Reform Before Regulations Catch
- Ransomware Gangs and the Name Game Distraction.
Discover the deceptive tactics utilised by the notorious BlackCat Ransomware to propagate its detrimental effects
BlackCat engages in the dissemination of harmful emails or links to websites to infect individuals. Attackers use various methods to generate malicious emails or links yet exhibit specific shared attributes. These encompass:
- Some individuals resort to manipulative tactics to achieve their desired outcomes. These attackers commonly employ social engineering methods, such as instilling fear or a sense of urgency in the recipient, to prompt them to click on a link or open an attachment within an email.
- It is using senders that look like they are real. Attackers often change the sender address of an email to make it look like it came from a company or government body.
- There has been an observed occurrence of individuals disseminating files and links known to contain harmful software. Suppose the recipient clicks on the attached file or proceeds to access the provided link. In that case, the malware will be downloaded and installed on their device. It is imperative to exercise caution when engaging in internet browsing activities and when considering opening attachments from unfamiliar sources.
Here are some examples of how advisory makes nefarious emails or links in more detail:
- One common way that dangerous emails are created is through phishing attacks. These spam emails are designed to look like they come from a trusted source, such as your bank or credit card company. They often contain a harmful link or attachment that, if opened, can infect your computer with malware.
- Have you heard of targeted email attacks? Specifically, spear-phishing emails fall under the broader category of phishing emails. These emails are sent to a particular person or organisation and often contain information relevant to the receiver, like their name or workplace name. This increases the likelihood of the email being read and responded to by the intended recipient.
- Malvertising refers to malicious advertisements that spread malware. This code may be presented in various formats, including pop-up windows and banner ads.
Malware is placed on a victim's computer once they visit a malicious website or open an infected attachment. After infecting a computer, malware can steal sensitive data like passwords and credit card details, or it might encrypt the victim's files and hold them for ransom.
The power of BlackCat is significant, as it can quickly infiltrate the entire system. The attackers use a technique called "triple extortion." First, they copy the victim's data and then encrypt it on the victim's machine. Once they gain access, the attackers threaten to destroy the decryption keys, publicly expose the data, and initiate a DDoS attack if the victim does not meet their ransom demands.
Rust, a computer language, is utilised in a manner that is not found in any other ransomware strains, which sets BlackCat apart from the competition. This distinction is crucial because it may portend a potential increase in the incidence of malware based on the Rust programming language. Because of its outstanding speed, solid security features, stable design, and superior memory management skills, the Rust programming language is an appealing option for hackers who want to create malware that can elude the detection methods that are currently in use. BlackCat is compatible with operating systems other than Windows, including Linux, which is still another advantageous feature of this programme. Administrators who work with Linux may need to increase their level of preparedness to effectively tackle the impending danger posed by the "Important files on your system were ENCRYPTED." associated with BlackCat. This is because there are only a minimal number of malware strains that target systems based on Linux.
Malicious second-stage delivery
A concerning issue is that a malicious second-stage delivery is being rented out to other threat actors using the access-as-a-service model in underground marketplaces. Therefore, any organisation compromised through the RustyBuer platform must take action and investigate the malicious second-stage delivery mechanisms that may have been implanted in their infrastructure.
It's conceivable that the letter ALPHA (alpha) is masked within the term ALPHV. This technique could be used by the producers of ransomware to conceal the first version of their software or to conceal the identity of the developer or representative of a ransomware gang. The "ng" in ALPHV-ng stands for "Next Generation," which refers to the programme's next iteration. BlackCat (also "Black Cat") and its associated image are self-explanatory to Russians.
It is compatible with Linux-based operating systems such as Debian, Ubuntu, ReadyNAS, Synology, Windows, and VMware ESXi. ALPHV ransomware is notorious for demanding high ransoms that can go up to millions of dollars. Additionally, it possesses a kill switch that prevents victims from accessing their files unless they pay the ransom. There have been reports of ALPHV ransomware attacks since November 18, 2021. These attacks have affected government agencies, businesses, and individuals.
Self-propagation
It can also erase volume shadow copies, terminate processes and services, and halt virtual machines on ESXi servers, increasing the amount of ransomed data. Additionally, ALPHV can spread itself by using PsExec to remotely execute itself on other systems connected to the local network. It can identify and locate all connected servers within a network. It uses advanced algorithms and scanning capabilities to systematically explore and uncover these servers, providing valuable insights into the network's infrastructure. The procedure begins by sending NetBIOS Name Service (NBNC) messages to detect additional devices. The ransomware uses a self-replication strategy on targeted servers by utilising provided credentials within the configuration file via PsExec.
The ransomware employs a combination of the AES-128 (CTR mode) and RSA-2048 algorithms to encrypt data from users and corporate networks. Subsequently, a substantial ransom in the form of Bitcoin or Monero is demanded to retrieve the data. The adversary may utilise the ChaCha20 algorithm as a substitute for the AES algorithm. The parsing process of the configuration file, previously known as ALPHV-ng RaaS, involves extracting the global public key required for encrypting local keys.
The RaaS (Ransomware-as-a-Service) affiliate model involves several participants:
- Access brokers infiltrate networks and establish a persistent presence within them.
- Operators of Ransomware-as-a-Service (RaaS) who specialise in developing various tools.
- Ransomware-as-a-Service (RaaS) affiliates engage in additional activities, such as moving laterally across the network and exfiltrating data before executing the ransomware payload.
How BlackCat gains access to a target organisation can differ depending on the Ransomware-as-a-Service (RaaS) affiliate responsible for its deployment. In some instances, the primary entry points for these malicious entities involve remote desktop applications and compromised credentials. It has been observed that specific individuals with malicious intent have been able to use the weaknesses in Exchange servers to gain unauthorised entry into targeted networks.
How to Protect Yourself from ALPHV Ransomware
The Blackcat ransomware has been specifically engineered to present significant difficulties in its removal process. It could try to turn off antivirus software or other security measures. The attack's potential impact includes the possible modification of system files and settings, which can contribute to the attacker's persistence and increase the difficulty of recovering from the incident. The utilisation of Rust programming language has the potential to impede reverse engineering efforts, thereby rendering the detection of such programming constructs challenging for engineers needing more familiarity with Rust. Additionally, it can effectively circumvent anti-detection measures.
There are various steps that can be taken to protect against ALPHV ransomware:
Software is always up to date. It is essential to ensure that your software is always up to date. This is because software updates usually contain security patches that help to safeguard your computer against ransomware attacks.
Install a firewall and anti-virus protection. The combination of a firewall and anti-virus software can significantly increase the safety of your computer.
Be aware of phishing emails. Phishing emails are often used to deliver ransomware. It's essential to exercise caution when clicking links or opening attachments in emails from unfamiliar senders. By watching this video, you will better understand how phishing scams work.
Only open attachments or click links in emails if you are sure they are from a legitimate source.
Use strong passwords and enable multi-factor authentication. Creating strong passwords and using multi-factor authentication can significantly increase your computer's security and make it harder for attackers to gain access.
Use encryption techniques. By utilising encryption techniques and establishing access control measures, enterprises can effectively mitigate the likelihood of a BlackCat ransomware infiltration and minimise the potential consequences of a successful breach. Suppose the perpetrator successfully obtains unauthorised access to the encrypted data. If the decryption key is not accessible, the associated value will become null and void. Therefore, ensuring that the decryption key is stored securely and follows industry standard key management safeguards the keys from unauthorised access is of utmost importance.
Suppose you suspect that your computer systems have been compromised by the BlackCat ransomware. In that case, there are several recommended actions you can take:
- Creating a backup of your files is vital to ensure their protection. If you have recently made a backup, it can be used to restore any data lost due to a ransomware attack after the virus has been removed.
- Please ensure that you make a backup of your files. Assume that you currently possess a recent backup of your files. In such circumstances, restoring the data from the backup is feasible once the ransomware has been effectively eradicated.
- In order to guarantee that your computer is not infected with the BlackCat malware, it is advisable to run a scan using antivirus software. There are numerous antivirus products available that can identify and eliminate this form of malware.
- If you have encountered a security violation involving the BlackCat ransomware, you must inform the appropriate authorities immediately. This will allow them to investigate the matter and take the necessary actions to identify and catch those responsible.
References
- The Many lives of BlackCat ransomware
- A language empowering everyone to build reliable and efficient software
- 2022-004: ACSC Ransomware Profile – ALPHV (aka BlackCat)
- BlackCat ransomware fails to extort Australian commercial law giant
- BlackCat : New Rust based ransomware borrowing BlackMatter’s configuration
- Analyzing WhisperGate and BlackCat Malware: Methodology and Threat Perspective
- Spotlight on Ransomware: How ransomware works.
- A question of security: What is obfuscation and how does it work
- DJVU: The Ransomware That Seems Strangely Familiar… - BlackBerry
- An Assessment of Obfuscated Ransomware Detection and … - Springer
- Ransomware – Krebs on Security
- Ransomware Gangs and the Name Game Distraction
- Researchers Warn of 4 Emerging Ransomware Groups That Can Cause Havoc
- Ransomware Groups Able to Rebrand and Reform Before Regulations Catch
Prasanna Abeysekera, a writer for GABEY, primarily focuses on cybersecurity and the changing nature of online threats.