In recent years, ransomware attacks have become increasingly common, with new strains being discovered all the time. One such strain is BlackCat ransomware, which has been causing havoc for organizations across the world. ALPHV, also known as BlackCat, is a ransomware family first seen in late 2021 and has been targeting multiple firms across industries. The operators of the ransomware are seen employing double extortion techniques, which involve not only encrypting the system but also stealing sensitive files from their victims. Reportedly, another tool is used with the ransomware for stealing data.
BlackCat ransomware is written in Rust and comes in the form of a command-line tool, which can be run with different arguments. It is capable of killing multiple processes and services. One of its key features is its ability to escalate privileges and bypass User Account Control (UAC). This sophisticated malware uses either AES or ChaCha20 encryption (depending on its configuration) to encrypt all the files on a victim's system. Additionally, it has sandbox evasion capabilities, making it hard to analyze the sample. The ransomware requires arguments to run, making it impossible to analyze by a sandbox. In this blog, we'll take a closer look at the characteristics and technicalities of this Rust-written ransomware.
Historical Campaign Overview
It has been witnessed that attackers that use the BlackCat ransomware also reportedly use a .NET stealer tool named ExMatter, developed by the same APT group, in order to download files from the victim machine. This is what makes this attack even more formidable since this gives attackers the leverage to use a technique known as double extortion, which involves the added pressure of leaking stolen files possibly containing sensitive data. (Refer to the Appendix for a YARA rule that helps with hunting BlackCat.)
Technical Analysis
The BlackCat binary comes in the form of a command-line tool that can be run using different arguments. For example:
- By using –verbose, the logs created by BlackCat will be displayed on the console.
- The –ui option displays a GUI-like display in the terminal window, showing the progress and information related to the files being encrypted on the system.
Out of these arguments, only one of them is essential to the execution of the binary, which is the access-token argument.
Pre-Encryption Operations
As mentioned earlier, the binary will only run if it is supplied with a 32-character long access token. It uses the GetCommandLineW API in order to check whether the access token is correctly supplied.
Depending on the version of the Ransomware, this token can either be random (like in this sample), or as seen in the latest versions, this access token is a 32-character key used to encrypt the configuration of the Ransomware embedded within the binary. Latest versions do this in order to stop security researchers from extracting the configuration. This also serves as an anti-sandboxing measure, since automated analysis tools will not be able to execute the sample unless they are configured to supply the access token.
Ransom Note
Once the access token is supplied to the binary, the Ransomware proceeds by decrypting the ransom note embedded within the binary and storing it for later use. It also sets the ransom note as the Desktop wallpaper.
After this, the Ransomware prepares itself to escalate privileges by creating a new thread using the CreateThread API.
Privilege Escalation & UAC Bypass
BlackCat ransomware performs a UAC bypass by abusing Microsoft COM (component object model). This attack involves using COM objects of a binary known as Microsoft CMSTP (Connection Manager Profile Installer), particularly the CMSTPLUA interface {3E5FC7F9-9A51-4367-9063-A120244FBEC7}.
The ransomware uses CoGetObject to register itself with the CLSID {3E5FC7F9-9A51-4367-9063-A120244FBEC7}, which is legitimately used to execute applications with elevated privileges. This technique allows it to bypass the UAC prompt and perform its malicious actions without being detected or blocked by the system's security measures.
Using CoGetObject to register itself with {3E5FC7F9-9A51-4367-9063-A120244FBEC7} in order to gain elevated privileges
Once the ransomware elevates privileges, it executes within the newly created thread and carries its arguments forward from its previous instance.
After this, BlackCat uses the LookupPrivilegeValueW API in order to look for local identifiers for a list of privileges. Each of these privileges enables the running process to run system-level operations. (Refer to the Appendix for a complete list and description of each privilege). The binary then uses AdjustTokenPriveleges in order to grant itself those privileges.
Finally, BlackCat ends its preparation for encryption by doing the following:
- Deleting all volume shadow copies using vssadmin and wmic commads, thus making data recovery much harder.
- Disabling Automatic Repair using bcdedit, in order to prevent the recovery of system-related files.
- Clearing event logs.
- Terminating all active services and processes.
Note: BlackCat has its configuration embedded within itself and decrypts it at runtime. The configuration contains information about the public key to be used in order to encrypt the key, any specific services to terminate, an exception list, etc.
Data Encryption
The sample of BlackCat utilized for this analysis employs AES for encryption. The steps involved in encrypting are as follows:
- BlackCat first traverses the system by using a loop of FindFirstFile and FindNextFIle in order to find all the files on the system.
- The ransom note is written to each directory using WriteFile.
- Using BCryptGenRandom, the ransomware calculates a random AES key.
- A JSON block is created for each file, which contains the AES key that is used to encrypt the file, and information about the file.
- The AES key is further encrypted using the RSA public key stored in the BlackCat configuration.
- The file is encrypted using AES, and the contents are written to the file using ReadFile and WriteFile. The new extension of the file is mentioned in the BlackCat configuration.
Post-Encryption Operations
Once BlackCat is done encrypting all files on the system, the Desktop wallpaper is changed, instructing the user to refer to the ransom note.
The .onion URL specified in the ransom note is unique to each victim, as each sample uses a different access token, supplied to the URL as a parameter. The onion URL contains information about the files encrypted/stolen and instructions on how to pay the ransom.
Indicators of Compromise (IoCs)
SHA256
847FB7609F53ED334D5AFFBB07256C21CB5E6F68B1CC14004F5502D714D2A456
3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1
9802a1e8fb425ac3a7c0a7fca5a17cfcb7f3f5f0962deb29e3982f0bece95e26
f7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083