BlackCat (cyber gang)
Formation | 2021 |
---|---|
Type | Hacking |
Parent organization | FIN7, DarkSide (hacker group) |
BlackCat, also known as ALPHV[1] and Noberus,[2] is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.
BlackCat operates on a ransomware as a service (RaaS) model, with developers offering the malware for use by affiliates and taking a percentage of ransom payments. For initial access, the ransomware relies essentially on stolen credentials obtained through initial access brokers. The group operates a public data leak site to pressure victims to pay ransom demands.
The group has targeted hundreds of organizations worldwide, including Reddit in 2023 and Change Healthcare in 2024.[3] Since its first appearance, it is one of the most active ransomware.[4]
As of February 2024, the U.S. Department of State is offering rewards of up to $10 million for leads that could identify or locate ALPHV/BlackCat ransomware gang leaders.[5]
In March 2024, a representative for BlackCat claimed that the group is shutting down in the aftermath of the 2024 Change Healthcare ransomware attack.[6]
Description
[edit]The group behind BlackCat utilizes mostly double extortion tactic but sometimes includes triple extortion which involves exposing exfiltrated data and threatening to launch distributed denial-of-service (DDoS) attacks on victims’ infrastructure.[7]
BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero and have accepted ransom payments below the initial ransom demand amount. According to the FBI, many of the developers and money launderers for BlackCat/ALPHV are linked to DarkSide/Blackmatter, indicating they have extensive networks and experience with ransomware operations.[1]
The group is known for being the first ransomware to create a public data leaks website on the open internet. Previous cyber gangs typically published stolen data on the dark web. BlackCat's innovation was to post excerpts or samples of victims' data on a site accessible to anyone with a web browser. Security experts believe the tactic is intended to demonstrate more credibility to their claims of breaching victims' systems and increase pressure on organizations to pay ransoms to prevent full public exposure of their data.[8] The group also mimics its victims' websites to post stolen data on typo squatted replicas on the web.[9]
In its early campaigns, Royal ransomware used the encryptor tool called "BlackCat".[10]
History
[edit]Beginning (2021-2022)
[edit]The malware was first observed by researchers from the MalwareHunterTeam in mid-November 2021.[7]
By April 2022, the Federal Bureau of Investigation (FBI) released an advisory that several developers and money launderers for BlackCat had links to two defunct ransomware as a service (RaaS) groups – DarkSide and BlackMatter.[7] According to some experts, the ransomware might be a rebranding of DarkSide, after their May 2021 attack on the Colonial Pipeline.[11] It might also be a successor to the REvil cybercriminal group which was dismantled in late 2021.[8]
Throughout 2022, BlackCat compromised and extorted numerous high-profile organizations globally including universities, government agencies and companies in the energy, technology, manufacturing, and transportation sectors. Reported victims include Moncler, Swissport, North Carolina A&T, Florida International University, the Austrian state of Carinthia, Regina Public Schools, the city of Alexandria, the University of Pisa, Bandai Namco, Creos, Accelya, GSE, NJVC, EPM, and JAKKS Pacific.[12]
In September 2022, a report noted that the ransomware was using the Emotet botnet.[7]
In late May 2022, a European government was attacked and asked US$5 million in ransom.[7]
Sphynx variant (2023)
[edit]At the beginning of the year 2023, Blackcat attacked Grupo Estrategas EMM, NextGen Healthcare, Solar Industries India, Instituto Federal Do Pará, Munster Technological University, and Lehigh Valley Health Network.[12]
In February 2023, a variant called "Sphynx" was released with updates to increase speed and stealth. As of May 2023, the group is estimated to have targeted over 350 victims globally since its emergence.[2]
In June 2023, the group claimed responsibility for a February 2023 breach of Reddit's systems. On their data leak site, they claimed that they stole 80 GB of compressed data and demanded a $4.5 million ransom from Reddit. This attack did not involve data encryption like typical ransomware campaigns.[13]
Takedown (December 2023)
[edit]On December 19, 2023 the group's website was replaced with an image: a message from the FBI claiming "The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Alphv Blackcat Ransomware.”[14]
The FBI announced that same day they had "disrupted" the ALPHV/BlackCat group by seizing multiple websites as well as releasing a decryption tool. The tool could be used by ransomware victims to decrypt their files without paying the ransom.[15]
As of February 2024, U.S. Department of State is offering rewards of up to $10 million for leads that could identify or locate ALPHV/Blackcat ransomware gang leaders. They are offering an additional $5 million reward for tips on people who take part in ALPHV ransomware attacks.[16]
Attack on Hong Kong's Consumer Council (May 2024)
[edit]In May 2024, The Standard (Hong Kong) reported that Hong Kong's Consumer Council had been the target of "a ransomware attack on its servers and endpoint devices" and that such an attack had been conducted by ALPHV.[17]
Tactics and techniques
[edit]This section may be too technical for most readers to understand.(December 2024) |
So-called "threat actors" associated with BlackCat were observed to use "malvertising", an "SEO poisoning" technique" that uses advertising to trick users searching for applications like WinSCP to download and spread its malware; as Ravie Lakshmanan noted, writing for The Hacker News, the approach
typically involves hijacking a chosen set of keywords (e.g., "WinSCP Download") to display bogus ads on Bing and Google search results pages with the goal of redirecting unsuspecting users to sketchy pages[18]
that is, using hijacked webpages of legitimate organizations to redirect users to pages hosting malware.[18]
The rogue WinSCP installer then distributes a backdoor containing coding termed a "Cobalt Strike beacon" that allows follow-on intrusions by the hackers; access afforded by the beacon allows for reconnaissance, data exfiltration, and security tampering by the beacon, as well as for its lateral movement. The threat actors also gained administrative privileges, and thus began setting up backdoors before the attack was discovered.[18] The ransomware incorporates techniques like junk code and encrypted strings to avoid detection.[citation needed]
Specifically, the gang uses Emotet botnet malware as an entry point, and Log4J Auto Expl to propagate the ransomware laterally within the network.[jargon][7][verification needed] The group abuses Group Policy Objects (GPOs) to distribute malware and disable security controls across networks.[jargon][19] The malware uses tools like ExMatter to steal sensitive data before deploying ransomware to encrypt files.[jargon][12]
Once executed, BlackCat performs network discovery to find more systems to infect, deletes volume shadow copies, encrypts files, and drops a ransom note demanding cryptocurrency.[jargon][2]
Uses
[edit]MGM and Caesars
[edit]Scattered Spider, an affiliate of ALPHV users (and speculated by some outlets to be a subgroup of ALPHV[20]) made up primarily of British and American hackers, worked with ALPHV in its September 2023 ransomware attacks against MGM Resorts International and Caesars Entertainment, the two largest casino operators and gaming companies in Las Vegas and some of the largest in the world. The hackers demanded a $30 million USD ransom from Caesars, which paid $15 million to the hackers. MGM, however, did not pay the ransom and instead shut down all systems for a period of weeks. This further affected MGM's online offerings, such as its sports betting platform BetMGM.[21][22][23] The cyberattack on MGM led to a significant impact of $100 million on the company's financial performance for the third quarter of 2023.[24]
Motel One
[edit]ALPHV was also used to conduct a ransomware attack against Motel One, though the company stated that its normal business operations were never at risk. The hackers were able to access some customer data and an estimated 150 credit cards.[20]
Change Healthcare (UnitedHealth Group)
[edit]BlackCat was reported to be behind the 2024 Change Healthcare ransomware attack. Change Healthcare paid a $22 million ransom to recover data after the attack. However, a payment dispute between BlackCat and an affiliate involved with the attack has resulted in a BlackCat representative claiming that the group is shutting down and selling the source code for its ransomware products. This dispute has been viewed as a potential exit scam by the developers.[6]
References
[edit]- ^ a b "FBI Releases IOCs Associated with BlackCat/ALPHV Ransomware | CISA". www.cisa.gov. 2022-04-22. Retrieved 2023-07-14.
- ^ a b c Ravie, Lakshmanan (2023-06-01). "Improved BlackCat Ransomware Strikes with Lightning Speed and Stealthy Tactics". The Hacker News. Retrieved 2023-07-25.
- ^ Lyons, Jessica. "Reddit confirms BlackCat ransomware gang stole its data". www.theregister.com. Retrieved 2024-03-03.
- ^ "BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration". Security Intelligence. Retrieved 2023-07-25.
- ^ "US offers up to $15 million for tips on ALPHV ransomware gang". BleepingComputer. Retrieved 2024-02-20.
- ^ a b "BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare – Krebs on Security". 2024-03-05. Retrieved 2024-05-21.
- ^ a b c d e f "Ransomware Spotlight: BlackCat - Security News". www.trendmicro.com. Retrieved 2023-07-14.
- ^ a b "The Royal & BlackCat Ransomware: What you Need to Know | Tripwire". www.tripwire.com. Retrieved 2023-07-26.
- ^ Labs, Cyware. "ALPHV/BlackCat Clones Victim's Website to Post Stolen Data | Cyware Hacker News". Cyware Labs. Retrieved 2023-07-26.
- ^ "Ransomware Spotlight: Royal – Security News". www.trendmicro.com. Retrieved 2023-07-11.
- ^ "Breaking Down the BlackCat Ransomware Operation". cisecurity.org. 7 July 2022.
- ^ a b c Cyware Labs Staff (2023-07-26). "The Rise of BlackCat Ransomware: A Dark Tale of Cybercrime". Cyware Labs. Retrieved 2023-07-26.
- ^ "The Week in Ransomware - June 23rd 2023 - The Reddit Files". BleepingComputer. Retrieved 2023-07-25.
- ^ Hay Newman, Lily (Dec 19, 2023). "A Major Ransomware Takedown Suffers a Strange Setback". Wired. Archived from the original on Dec 20, 2023.
- ^ "Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant". U.S. Department of Justice. Dec 19, 2023.
- ^ "US offers up to $15 million for tips on ALPHV ransomware gang". BleepingComputer. Retrieved 2024-02-20.
- ^ Shi, Stacy (3 May 2024). "Consumer Council's security weaknesses blamed for leak". The Standard. Retrieved 3 May 2024.
- ^ a b c Lakshmanan, Ravie (Jul 3, 2023). "BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising". The Hacker News. Retrieved 2023-07-25.
- ^ "BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration". Security Intelligence. Retrieved 2023-07-25.
- ^ a b Page, Carly (2023-10-03). "Motel One says ransomware gang stole customer credit card data". TechCrunch. Retrieved 2023-10-03.
- ^ Siddiqui, Zeba; Satter, Raphael; Satter, Raphael (2023-09-22). "'Power, influence, notoriety': The Gen-Z hackers who struck MGM, Caesars". Reuters. Retrieved 2023-10-03.
- ^ "Hackers tied to Las Vegas attacks known for sweet-talking their way into company systems". NBC News. 2023-09-15. Retrieved 2023-10-03.
- ^ Brewer, Contessa; Goswami, Rohan (2023-09-14). "Caesars paid millions in ransom to cybercrime group prior to MGM hack". CNBC. Retrieved 2023-10-03.
- ^ "UnitedHealth says 'Blackcat' ransomware group behind hack at tech unit". Reuters.