Amid news that the ALPHV/BlackCat ransomware gang is shutting down operations in a likely exit scam, researchers published a new technical breakdown of the ransomware’s binary.
The Trustwave SpiderLabs report published Wednesday dives into remote access and stealth tactics used in deployment of BlackCat ransomware since the group’s resurgence, after its initial disruption by the FBI in December.
ALPHV/BlackCat’s leak site went down for a second time on Friday and is now replaced with an FBI takedown notice that security experts say is likely fake.
Inspecting the site shows the takedown banner is extracted from an archive, and Europol and the National Crime Agency (NCA) deny being involved in the takedown despite their logos appearing on the page, BleepingComputer reports.
The cybergang’s operators claim they plan to cease operations and sell the BlackCat ransomware source code for $5 million due to law enforcement interference — but this move comes after allegations it stole a $22 million ransom from one of its own affiliates after claiming responsibility for the attack against Change Healthcare. This has led the gang’s actions to be labeled by many as an “exit scam.”
“Based on our experience, we believe that BlackCat’s claim of shutting down due to law enforcement pressure is a hoax. We anticipate their return under a new guise or brand after the hiatus,” Reegun Jayapaul, principal threat hunter at Trustwave, told SC Media in an email. “This tactic serves as a means for them to execute one final significant scam before resurfacing with less scrutiny.”
Whether ALPHV/BlackCat returns under a different name — or the ransomware-as-a-service (RaaS) strain is sold and brought under new management — organizations should stay alert for BlackCat’s ransomware tactics despite the bizarre shakeup.
“Regardless if BlackCat sells their source code or not, threat actors are always honing and evolving their craft,” Shawn Kanady, global director of the Trustwave SpiderLabs Threat Hunt Team, told SC Media.
New stealth features discovered in BlackCat ransomware ‘Version 3’
The BlackCat variant studied by Trustwave researchers is more elusive than previous versions due to a unique 64-character hexadecimal access token being required to execute the ransomware binary. This raises the difficulty for researchers to download a sample of the malware and study the code through traditional means, Kanady told SC Media.
“We were able to pull this version from an infected machine. This gave us good insight into how it was deployed and what it is capable of doing,” Kanady said. “The key difference between this and other versions is the strict requirement of access tokens. Each token is unique to its victim and the malware will only execute with the token.”
Trustwave noted the use of two types of legitimate remote access software — Total Software Deployment and ScreenConnect — used by BlackCat to stealthily establish backdoor access to infected systems. This corresponds to a joint advisory issued by CISA, the FBI and HHS last week, which emphasized the gang’s use of legitimate remote access software to evade detection.
Another significant aspect of the “Version 3” BlackCat variant is its naming of the malware executable to “update.exe.”
“This is to trigger the UAC (Windows User Account Control) intentionally. In most cases, the end-user will just click ‘yes,’ and the malware gets elevated privileges,” Kanady explained.
The analysis showed batch scripts were used to disable security measures like Windows Defender and SmartScreen — tactics also outlined in the government advisory.
Together with detailed profiling of the target machine to avoid actions that would trigger an alert, and commands to block “noisy” self-propagation activities, these features make the BlackCat variant adept at encrypting and exfiltrating files before its presence is ever detected.
This is why, Kanady said, organizations should focus on what they can prevent before the ransomware is ever deployed.
“In this case, BlackCat used legitimate credentials to login where there was no MFA and then proceeded to install remote access tools,” Kanady said. “Not having MFA in place on external systems that can be logged into is a very big security risk. This can be easily avoided.”
Kanady also recommended “monitoring for unauthorized software installs, new application services, or inbound traffic from unknown sources.”
Allowlisting approved remote access programs and monitoring one’s network for BlackCat indicators of compromise (IoCs) are also recommended by the government joint advisory.
