What Is BlackCat Ransomware?

BlackCat ransomware, also known as Noberus or ALPHV ransomware, is a type of malware created by a group of Russian-speaking cybercriminals. It’s believed that several members of this group have links to DarkSide and BlackMatter, two ransomware groups that are now defunct. Since its first appearance in 2021, BlackCat has become one of the most active forms of ransomware. A new variant called “Sphynx” is believed to operate with even greater speed and efficiency. BlackCat is written in the Rust programming language and is more difficult to remove than other types of ransomware threats. Victims of the BlackCat ransomware attacks include businesses in the fields of construction, manufacturing, energy, healthcare, technology, and retail.

Threat actors using BlackCat gain initial access to IT environments and user accounts in a variety of ways, including remote desktop protocols, compromised credentials, and exchange server vulnerabilities. Some use Google ads promoting fake downloads of popular software; when users click on a link, they download malware rather than legitimate software. Once the malware payload has infected devices within a network, the cybercriminals use it to encrypt files and data on servers and individual machines, preventing users from accessing them. BlackCat groups may also exfiltrate sensitive data before encrypting it, enabling the groups to threaten to expose the data unless the ransom is paid.

The BlackCat ransomware family is distinct from other types of ransomware attacks for several key reasons.

• Ransomware as a service. BlackCat operates on a ransomware as a service (RaaS) model, where the creators of the malware allow other groups to use it, collecting a percentage of the ransom in return.
• Higher payouts. The hackers behind BlackCat offer a 80%–90% payout to criminal affiliates who use the software — higher than the typical 70% payout.
• New programming language. BlackCat is the first strain of ransomware written in Rust, which is a fast, stable, secure programming language that can be run both on Windows and non-Windows systems such as Linux and virtual machines in VMware instances. To date, few forms of malware have targeted Linux-based systems, so security teams managing Linux-based environments may be less prepared to respond to this devastating cyberattack. Because many security solutions are less effective at analyzing threats written in Rust and other modern programming languages, BlackCat is more difficult for some security tools to recognize and mitigate.
• Customizability. BlackCat operators can customize the ransomware to work in different operating systems, providing a wider range of possible targets. Operators may choose between different encryption algorithms, customize the ransom note, specify files to ignore, and choose specific services and processes to terminate.
• Triple threat. Threat actors using BlackCat often employ triple extortion tactics, demanding a ransom to decrypt infected files, to not publish stolen data, and to not launch a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack against the victim.
• Public data leak site. The group behind BlackCat has created a website on the public internet where data from successful attacks has been leaked. This both increases the visibility of BlackCat ransomware operations among cybercriminals and makes victims more inclined to succumb to the extortion and pay the ransom.

There are several signs that may indicate a ransomware attack is using BlackCat malware. Indicators of compromise (IOCs) include file hash signatures, command and control IP addresses, and specific domains released by the FBI and other analyses. BlackCat attacks typically use a unique or customized ransom note, which may include a link to a unique Tor website that reveals evidence of data that’s been previously exfiltrated and ransomed. BlackCat also appends unique and random extensions to the encrypted files in each campaign, and it creates a file called “RECOVER-<random>-NOTES.txt” in every directory containing ransomed files.

The same methods and controls used to prevent other types of cybercrime and ransomware attacks can be effective against BlackCat attacks.

• Microsegmentation. By strictly limiting access to individual IT assets or small subsets of a network, software-defined microsegmentation can prevent the kind of lateral movement that is essential to ransomware attacks.
• Security awareness training. Educating employees is a critical part of preventing ransomware. Awareness training should include best practices for security hygiene as well as ways to recognize phishing emails and other common techniques for distributing ransomware.
• Encryption. Through encryption, organizations can prevent ransomware attackers from stealing and exposing sensitive data.
• Strong identity and access control. By implementing strong passwords and techniques like multifactor authentication, organizations can severely limit who can view or modify data, reducing the risk or the scope of a BlackCat ransomware infection.
• Backups. Regular data backups allow organizations to recover quickly from a ransomware infection without having to pay a ransom or permanently losing files. Backups must be stored in a secure location that is not connected to computers or the network, to prevent these storage locations from being infected.
• Optimal patching cadence. Regularly installing updates and security patches can help address the vulnerabilities in hardware, applications, and APIs that attackers may otherwise take advantage of.
• Continuous monitoring. Network administrators should continuously monitor incoming and outgoing traffic to search for unusual patterns that may indicate a ransomware affection or other types of cyberattacks.
• Endpoint security. Endpoint security services provide protection at the device level to recognize and block attacks.
• Secure cloud services. When choosing cloud service providers, organizations must ensure that security teams understand the shared responsibility model for security that’s involved in many cloud services, and ensure that providers comply with recognized standards and quality frameworks such as PCI DSS or the FedRAMP certification.
• Data leak protection (DLP). DLP solutions enable granular classification of data based on sensitivity and can alert security teams in real time when potential ransomware incidents or data exfiltration are occurring.