BlackCat ransomware group increases stealth, speed, exfiltration capabilities against organizations

New IBM Security Intelligence data found that the BlackCat (ALPHV) ransomware has continued to wreak havoc across organizations globally this year. The recent attacks of the hacker group’s ransomware affiliates have targeted organizations in the healthcare, government, education, manufacturing, and hospitality sectors. Several of these incidents have reportedly resulted in the group’s publishing of sensitive data to their leak site, including financial and medical information stolen from the victim organizations.

“Ransomware groups like BlackCat that are able to shift their tooling and tradecraft to make their operations faster and stealthier have a better chance of extending their lifespan,” IBM Security X-Force researchers wrote in a blog post published Tuesday. “X-Force has observed BlackCat affiliates continue to hone their operations in order to increase the likelihood of successful impact, namely data theft, and encryption. Attackers automated the data exfiltration portion of the operation using ExMatter, a custom malware capable of ‘melting’ (self-deletion). In addition, the BlackCat group recently released a new version of their ransomware, dubbed Sphynx, with upgraded capabilities meant to thwart defensive measures.”

While evolving tactics to delay or prevent detection and evade analysis present renewed challenges, knowing which tactics, techniques and procedures (TTPs) attackers are most likely to employ can help defenders seeking to disrupt and defeat ransomware attacks, the post added. This blog provides details about the deployed tactics by BlackCat and other ransomware groups and how organizations can best protect themselves by knowing what to look for in their environments.

BlackCat has become known as a highly formidable ransomware operator since its debut in November 2021. The group has consistently been listed among the top ten most active ransomware groups by multiple research entities and was linked in an April 2022 FBI advisory to now-defunct BlackMatter/DarkSide ransomware. In 2022, BlackCat affiliates were linked to the attempted extortion of entities globally across multiple sectors including education, government, and energy.

Additionally, BlackCat switched to the Rust programming language in 2022, likely due to the customization opportunities afforded by the language, and as a means to hamper efforts to detect and analyze the malware. 

IBM assesses that a year and a half since it entered the ransomware crime circuit, the BlackCat group shows no signs of winding down.

During the last six months, the post said that X-Force observed multiple intrusions by BlackCat affiliates that demonstrated continuous enhancement of their tooling and tradecraft. “BlackCat affiliates continue to abuse the functionality of Group Policy Objects, both to deploy tools and to interfere with security measures. Attackers displaying a nuanced understanding of Active Directory can abuse GPOs to great effect for swift mass malware deployment. For example, threat actors may attempt to increase the speed of their operations by changing default Group Policy refresh times, likely to shorten the window of time between changes taking effect and defenders being able to respond.”

“As BlackCat generally attempts to carry out a double extortion scheme, attackers also deployed tools for both data encryption and theft. X-Force observed attackers leveraging ExMatter, a [dot]NET data exfiltration tool that was introduced in 2021 and received a substantial update in August 2022,” the IBM post added. “ExMatter is exclusively used by one BlackCat ransomware affiliate cluster, tracked by Microsoft as DEV-0504. IBM X-Force has observed evidence that multiple terabytes of data had been exfiltrated from a victim environment to threat actor-controlled infrastructure. Stolen data is frequently posted publicly on the group’s official leak site in an attempt to apply pressure on extortion victims.”

Lastly, X-Force observed and analyzed a new version of BlackCat being deployed dubbed Sphynx, the post said. “This version was first announced in February 2023 and introduced a number of updated capabilities that strengthen the group’s efforts to evade detection.”

Sphynx differs from the previous variants in notable ways, the researchers said. “For example, the command line arguments have been reworked. Previous variants utilized the –access-token parameter in order to execute. The updated ransomware removes that parameter and adds a set of more complex arguments. This makes it harder to detect since defenders do not have standard commands to hunt.”

The post also pointed out that the configuration data is not JSON formatted, but raw structures. “Updated samples contain junk code and thousands of encrypted strings which hinder static analysis. An announcement by the BlackCat group suggests the motives for updating the ransomware, indicating that BlackCat ransomware ‘has been completely rewritten from scratch’ and that ‘The main priority of this update was to optimize detection by AV/EDR,’” it added. 

The IBM Security X-Force researchers said that while evidence of the initial access vector is not always available, the earliest indication of compromise was possible threat actor use of valid credentials. Credentials are frequently obtained through infections with common stealer malware, such as Raccoon and Vidar information stealers.

“Once inside the network, BlackCat attackers used PowerShell and the command prompt to gather information about user accounts, permissions, and domain computers,” the researchers said. “Attackers used PowerShell code associated with ‘PowerSploit’, a publicly available PowerShell post-exploitation framework, for credential theft through Kerberoasting, and were able to obtain domain administrator credentials.”

Attackers used Remote Desktop Protocol (RDP) to move internally within the network, including authenticating to Domain Controllers using credentials for accounts with administrative privileges, the researchers revealed. Once authenticated, attackers could make modifications that expanded and solidified their reach within the network.

At this stage, attackers modified the default Group Policy Object (GPO) domain to fulfill two main objectives – disabling security controls/anti-virus, and deploying and executing ExMatter and BlackCat. 

X-Force assesses that actors associated with BlackCat and other ransomware groups are likely to try to increase the speed and stealth of their operations using novel means to accomplish different stages of their attacks. It added that continuous advancements in BlackCat ransomware-associated tradecraft, as well as the design of BlackCat and ExMatter malware, underscore adversary understanding of target systems and defender processes — as well as potential points where these can be leveraged for attacker advantage.

Last week, threat intelligence company Mandiant disclosed that novel OT/ICS-oriented malware, tracked as CosmicEnergy, was uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.