Skip to main content Link Menu Expand (external link) Document Search Copy Copied
DFIR Ransomware Project
Category Details References
Actors    
First Observed December 2021 1
Threat Actors MS DEV-0504
MS DEV-0237		 2
3
Environment    
Platforms Windows and ESXi 4
Artifacts    
Extensions 7 characters in length, specified in config file 5
Ransomware Notes RECOVER-[EXTENSION]-FILES.txt 5
Services It Disables IIS, Antivirus, backup service, recovery tool in Windows boot menu and clear Windows event logs 6
Other Observables Also named ALPHV and Noberus 7
Automation    
Automatically Gains Access Yes (exploiting Exchange servers, using remote access tools or getting compromised credentials within dark markets) 8
6
Automatically Escalates Privileges Yes.
Several techniques including Masquerade_PEB, UAC bypass via elevated COM interface, and CreateProcessWithLogonW exploit		 5
Requires Human Interaction Yes  
Automatic Exfiltration Yes (through MegaSync, Filezilla and WinSCP) 8
Automatic Propagation Yes.
Uses NetBIOS command to get list of computers and launches using PsExec and configured credentials.		 4

Other Notes:

  • Written in Rust.
  • Each binary is custom to each target
  • “Exmatter” exfiltration program updated in August 2022 to specifically limit type of files to exfiltrate to: PDF, DOC, DOCX, XLS, PNG, JPG, JPEG, TXT, BMP, RDP, SQL, MSG, PST, ZIP, RTF, IPT, and DWG. 7

Please note, this page was last updated at 2023-03-14 20:21.

  1. https://securityaffairs.co/wordpress/132339/malware/blackcat-ransomware-clear-web.html 

  2. https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0504 

  3. https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0237 

  4. https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/  2

  5. https://www.varonis.com/blog/blackcat-ransomware  2 3

  6. https://blog.group-ib.com/blackcat  2

  7. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps  2

  8. https://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware  2