Our Research team analysed the profile of the ransomware group dubbed BlackCat. This group doesn’t have an online presence apart from an exclusive Onion site, where they post their activities, updates, and targeted victims.
Updated on
April 19, 2023
Published on
January 7, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
CloudSEK’s Threat Intelligence Research team analyzed the profile of the ransomware group dubbed BlackCat.
This group doesn’t have an online presence apart from an exclusive Onion site, where they post their activities, updates, and targeted victims.
BlackCat is the first known professional ransomware group to use the Rust programming language.
CloudSEK’s Threat Intelligence team conducted further research to analyze the group’s operations and Tactics, Techniques, and Procedures (TTPs).
Detailed Analysis
Information from the BlackCat Onion Site
BlackCat, also known as ALPHVM, is a newly emerged ransomware group that maintains a presence on the dark web. They are currently linked to two different websites, a leak site called ALPHVM and BlackCat.
ALPHVM’s Onion site
Information from the Social Media
BlackCat has garnered a lot of attention on Twitter for being a Rust-based ransomware group. One of the initial groups of threat actors that used Rust as a part of their arsenal were the BadBeeTeam Ransomware.
Some Twitter users such as Dark Tracers mention that BlackCat has four Onion sites in operation.
There are various speculations on who the operators behind such a complicated malware could be. However, researchers along with some notorious threat actors, claim that the BlackCat ransomware group operators were formerly associated with the REvil ransomware group.
Information from Discussions on Cybercrime Forums
ALPHV was a former member of the REvil group, which suggests that the BlackCat ransomware group is most likely associated with the REvil ransomware group.
A member of the LockBit ransomware group has claimed that BlackCat is the rebranded version of BlackMatter/ DarkSide.
Forum PostPost shared by the threat actor on the English speaking cybercrime forum
Besides, there are discussions on how the group used Russian cybercrime forums to recruit affiliates to work with them. They are also keen on hiring pentesters skilled in Windows, Linux, and ESXi, which are their encryption targets.
CloudSEK’s Threat Intelligence team picked up similar recruitment posts that were published between 8 December 2021 to 12 December 2021. The posts mention that the partners will receive 80%-90% of the final ransom amount, obtained through double extortion.
Even months prior to the emergence of the BlackCat ransomware, the book ‘Black Hat Rust’ was distributed across cybercrime forums, and accesses to ESXi devices were being actively traded.
So far, the list of victims affected by Alphv-ng/ BlackCat ransomware are:
Star World Wide (Posted on 30 November 2021)
New City Commercial Corporation (Posted on 9 December 2021)
A threat actor on an English cybercrime forum, recently requested for affiliates and access from selected countries. The actor’s profile picture and the profit percentages being offered indicate that they could be operators or affiliates of the BlackCat ransomware group.
The actor has requested for accesses to entities from the following countries:
United States
Ukraine
Switzerland.
They have also shared a rate card for potential affiliates to consider:
Information from Open-Source
Threat actors have now released Linux-based variants of the BlackCat ransomware.
Users engaged in related discussions are releasing the samples for the Linux-based variants.
Based on EcuCERT, the malware is said to affect:
Windows 7 and higher (7, 8.1, 10, 11; 2008r2, 2012, 2016, 2019, 2022); XP and 2003
BlackCat affiliate program on a cybercrime forumPossible connection with BlackCat affiliate program on a cybercrime forumThreat actors showing interest to work with ransomware affiliatesNewly emerged Linux variants of the BlackCat Ransomware
More information and context about Underground Chatter
On-Demand Research Services
Global Threat Intelligence Feed
Protect and proceed with Actionable Intelligence
The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.