New BlackCat ransomware variant leverages Impacket for lateral movement

A close-up of cat eyes, black cat

Microsoft Threat Intelligence has observed a new version of the BlackCat ransomware being used in recent campaigns based on the open-source communication framework tool Impacket, which threat actors use to facilitate lateral movement in target environments.

In a post Aug. 17 on X, (formerly Twitter), the Microsoft researchers said Impacket has credential dumping and remote service execution modules that attackers could use for broad deployment of the BlackCat ransomware. This BlackCat version also has the Remcom hacktool embedded in the executable for remote code execution.

The evolution of this new version of the BlackCat ransomware was reported in a May 30 blog by IBM Security X-Force. In its blog, IBM performed intricate research into the new BlackCat encryptor, explaining that that the encryptor evolved into a toolkit that now contains Impacket.

Jesse Ratcliffe, principal, Red Team Ops at Coalfire, said the ALPHV/BlackCat ransomware gang has been causing chaos and mayhem around the world over the past year. Just in August, ALPHV attacked at least four companies, leaking sensitive data about employees and corporate assets from each one, said Ratcliffe.

Ratcliffe also pointed out that security researchers have speculated that the leaders of BlackCat are affiliated with the well-known RaaS gang, LockBit, and the two groups have traded access and exploits with each other.

“As threat actors expand their tooling and techniques, so does the unique strains of their custom ransomware,” Ratcliffe said. “It’s critical to get out ahead of these attacks, creating a readiness tabletop ‘doomsday’ plan for recovery, while patching systems and monitoring for suspicious and unauthorized access within the infrastructure.”

Darren Guccione, co-founder and CEO at Keeper Security, added that as long as ransomware gangs continue to receive a payout, with little chance of consequences for the bad actors, we can expect incidence rates to rise.

“For cybercriminals today, the readily available ransomware tools are becoming more sophisticated and not all companies are adequately defending themselves from cyberattacks despite an increasing attack surface through increased reliance on technology and distributed remote work,” said Guccione.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.