BlackCat (cyber gang)

Last updated
BlackCat/ALPHV
Formation2021
TypeHacking
Parent organization
FIN7, DarkSide (hacker group)

BlackCat, also known as ALPHV [1] and Noberus, [2] is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.

Contents

BlackCat operates on a ransomware as a service (RaaS) model, with developers offering the malware for use by affiliates and taking a percentage of ransom payments. For initial access, the ransomware relies essentially on stolen credentials obtained through initial access brokers. The group operates a public data leak site to pressure victims to pay ransom demands.

The group has targeted hundreds of organizations worldwide, including Reddit in 2023 and Change Healthcare in 2024. [3] Since its first appearance, it is one of the most active ransomware. [4]

As of February 2024, the U.S. Department of State is offering rewards of up to $10 million for leads that could identify or locate ALPHV/BlackCat ransomware gang leaders. [5]

In March 2024, a representative for BlackCat claimed that the group is shutting down in the aftermath of the 2024 Change Healthcare ransomware attack. [6]

Description

The group behind BlackCat utilizes mostly double extortion tactic but sometimes includes triple extortion which involves exposing exfiltrated data and threatening to launch distributed denial-of-service (DDoS) attacks on victims’ infrastructure. [7]

BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero and have accepted ransom payments below the initial ransom demand amount. According to the FBI, many of the developers and money launderers for BlackCat/ALPHV are linked to DarkSide/Blackmatter, indicating they have extensive networks and experience with ransomware operations. [1]

The group is known for being the first ransomware to create a public data leaks website on the open internet. Previous cyber gangs typically published stolen data on the dark web. BlackCat's innovation was to post excerpts or samples of victims' data on a site accessible to anyone with a web browser. Security experts believe the tactic is intended to demonstrate more credibility to their claims of breaching victims' systems and increase pressure on organizations to pay ransoms to prevent full public exposure of their data. [8] The group also mimics its victims' websites to post stolen data on typo squatted replicas on the web. [9]

In its early campaigns, Royal ransomware used the encryptor tool called "BlackCat". [10]

History

Beginning (2021-2022)

The malware was first observed by researchers from the MalwareHunterTeam in mid-November 2021. [7]

By April 2022, the Federal Bureau of Investigation (FBI) released an advisory that several developers and money launderers for BlackCat had links to two defunct ransomware as a service (RaaS) groups – DarkSide and BlackMatter. [7] According to some experts, the ransomware might be a rebranding of DarkSide, after their May 2021 attack on the Colonial Pipeline. [11] It might also be a successor to the REvil cybercriminal group which was dismantled in late 2021. [8]

Throughout 2022, BlackCat compromised and extorted numerous high-profile organizations globally including universities, government agencies and companies in the energy, technology, manufacturing, and transportation sectors. Reported victims include Moncler, Swissport, North Carolina A&T, Florida International University, the Austrian state of Carinthia, Regina Public Schools, the city of Alexandria, the University of Pisa, Bandai Namco, Creos, Accelya, GSE, NJVC, EPM, and JAKKS Pacific. [12]

In September 2022, a report noted that the ransomware was using the Emotet botnet. [7]

In late May 2022, a European government was attacked and asked US$5 million in ransom. [7]

Sphynx variant (2023)

At the beginning of the year 2023, Blackcat attacked Grupo Estrategas EMM, NextGen Healthcare, Solar Industries India, Instituto Federal Do Pará, Munster Technological University, and Lehigh Valley Health Network. [12]

In February 2023, a variant called "Sphynx" was released with updates to increase speed and stealth. As of May 2023, the group is estimated to have targeted over 350 victims globally since its emergence. [2]

In June 2023, the group claimed responsibility for a February 2023 breach of Reddit's systems. On their data leak site, they claimed that they stole 80 GB of compressed data and demanded a $4.5 million ransom from Reddit. This attack did not involve data encryption like typical ransomware campaigns. [13]

Takedown (December 2023)

Website seizure notice placed on an Alphv/Blackcat website. Alphv Blackcat takedown.png
Website seizure notice placed on an Alphv/Blackcat website.

On December 19, 2023 the group's website was replaced with an image: a message from the FBI claiming "The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Alphv Blackcat Ransomware.” [14]

The FBI announced that same day they had "disrupted" the ALPHV/BlackCat group by seizing multiple websites as well as releasing a decryption tool. The tool could be used by ransomware victims to decrypt their files without paying the ransom. [15]

As of February 2024, U.S. Department of State is offering rewards of up to $10 million for leads that could identify or locate ALPHV/Blackcat ransomware gang leaders. They are offering an additional $5 million reward for tips on people who take part in ALPHV ransomware attacks. [16]

Attack on Hong Kong's Consumer Council (May 2024)

In May 2024, The Standard (Hong Kong) reported that Hong Kong's Consumer Council had been the target of "a ransomware attack on its servers and endpoint devices" and that such an attack had been conducted by ALPHV. [17]

Tactics and techniques

The gang uses Emotet botnet malware as an entry point. It also uses Log4J Auto Expl to propagate the ransomware laterally within the network. [7]

Threat actors associated with BlackCat were observed using hijacked webpages of legitimate organizations to redirect users to pages hosting malware. The rogue WinSCP installer distributed a backdoor containing a Cobalt Strike Beacon for follow-on intrusion activities. The access afforded by Cobalt Strike was used to conduct reconnaissance, lateral movement, data exfiltration, and tampering with security software. The threat actors gained domain admin privileges and began setting up backdoors before the attack was discovered. [18]

The group abuses Group Policy Objects (GPOs) to distribute malware and disable security controls across networks. [19]

The malware uses tools like ExMatter to steal sensitive data before deploying ransomware to encrypt files. [12]

The ransomware incorporates techniques like junk code and encrypted strings to avoid detection. Once executed, BlackCat performs network discovery to find more systems to infect, deletes volume shadow copies, encrypts files, and drops a ransom note demanding cryptocurrency. [2]

Uses

MGM and Caesars

Scattered Spider, an affiliate of ALPHV users (and speculated by some outlets to be a subgroup of ALPHV [20] ) made up primarily of British and American hackers, worked with ALPHV in its September 2023 ransomware attacks against MGM Resorts International and Caesars Entertainment, the two largest casino operators and gaming companies in Las Vegas and some of the largest in the world. The hackers demanded a $30 million USD ransom from Caesars, which paid $15 million to the hackers. MGM, however, did not pay the ransom and instead shut down all systems for a period of weeks. This further affected MGM's online offerings, such as its sports betting platform BetMGM. [21] [22] [23] The cyberattack on MGM led to a significant impact of $100 million on the company's financial performance for the third quarter of 2023. [24]

Motel One

ALPHV was also used to conduct a ransomware attack against Motel One, though the company stated that its normal business operations were never at risk. The hackers were able to access some customer data and an estimated 150 credit cards. [20]

Change Healthcare (UnitedHealth Group)

BlackCat was reported to be behind the 2024 Change Healthcare ransomware attack. Change Healthcare paid a $22 million ransom to recover data after the attack. However, a payment dispute between BlackCat and an affiliate involved with the attack has resulted in a BlackCat representative claiming that the group is shutting down and selling the source code for its ransomware products. This dispute has been viewed as a potential exit scam by the developers. [6]

Related Research Articles

Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

<span class="mw-page-title-main">Locky</span>

Locky is ransomware malware released in 2016. It is delivered by email with an attached Microsoft Word document that contains malicious macros. When the user opens the document, it appears to be full of gibberish, and includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, they save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination. Initially, only the .locky file extension was used for these encrypted files. Subsequently, other file extensions have been used, including .zepto, .odin, .aesir, .thor, and .zzzzz. After encryption, a message instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian or Ukrainian, who target organizations rather than individual consumers.

Emsisoft Ltd. is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data.

FIN7, also called Carbon Spider, ELBRUS, or Sangria Tempest, is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. FIN7 is also associated with GOLD NIAGARA, ITG14, ALPHV and BlackCat.

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.

Conti is malware developed and first used by the Russia-based hacking group "Wizard Spider" in December, 2019. It has since become a full-fledged ransomware-as-a-service (RaaS) operation used by numerous threat actor groups to conduct ransomware attacks.

Wizard Spider, also known as Trickbot, DEV-0193, UNC2053, or Periwinkle Tempest, is a cybercrime group based in and around Saint Petersburg in Russia. Some members may be based in Ukraine. They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.

<span class="mw-page-title-main">2022 Costa Rican ransomware attack</span> Attack on Costa Rican government systems

Beginning on the night (UTC-6:00) of April 17, 2022, a ransomware attack began against nearly 30 institutions of the government of Costa Rica, including its Ministry of Finance, the Ministry of Science, Innovation, Technology and Telecommunications (MICITT), the National Meteorological Institute, state internet service provider RACSA, the Costa Rican Social Security Fund, the Ministry of Labor and Social Security, the Fund for Social Development and Family Allowances, and the Administrative Board of the Municipal Electricity Service of Cartago.

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

<span class="mw-page-title-main">LockBit</span> Criminal hacking organization

LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.

Royal is a cybercriminal ransomware organization known for its aggressive targeting, its high ransom demands, and its use of double extortion. Royal does not use affiliates.

Rhysida is a ransomware group that encrypts data on victims' computer systems and threatens to make it publicly available unless a ransom is paid. The group uses eponymous ransomware-as-a-service techniques, targets large organisations rather than making random attacks on individuals, and demands large sums of money to restore data. The group perpetrated the notable 2023 British Library cyberattack and Insomniac Games data dump. It has targeted many organisations, including some in the US healthcare sector, and the Chilean army.

Qilin is a Russian-speaking cybercrime organisation that has been linked to a number of incidents, including a ransomware attack on hospitals in London.

References

  1. 1 2 "FBI Releases IOCs Associated with BlackCat/ALPHV Ransomware | CISA". www.cisa.gov. 2022-04-22. Retrieved 2023-07-14.
  2. 1 2 3 Ravie, Lakshmanan (2023-06-01). "Improved BlackCat Ransomware Strikes with Lightning Speed and Stealthy Tactics". The Hacker News. Retrieved 2023-07-25.
  3. Lyons, Jessica. "Reddit confirms BlackCat ransomware gang stole its data". www.theregister.com. Retrieved 2024-03-03.
  4. "BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration". Security Intelligence. Retrieved 2023-07-25.
  5. "US offers up to $15 million for tips on ALPHV ransomware gang". BleepingComputer. Retrieved 2024-02-20.
  6. 1 2 "BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare – Krebs on Security". 2024-03-05. Retrieved 2024-05-21.
  7. 1 2 3 4 5 6 "Ransomware Spotlight: BlackCat - Security News". www.trendmicro.com. Retrieved 2023-07-14.
  8. 1 2 "The Royal & BlackCat Ransomware: What you Need to Know | Tripwire". www.tripwire.com. Retrieved 2023-07-26.
  9. Labs, Cyware. "ALPHV/BlackCat Clones Victim's Website to Post Stolen Data | Cyware Hacker News". Cyware Labs. Retrieved 2023-07-26.
  10. "Ransomware Spotlight: Royal – Security News". www.trendmicro.com. Retrieved 2023-07-11.
  11. "Breaking Down the BlackCat Ransomware Operation". cisecurity.org. 7 July 2022.
  12. 1 2 3 Labs, Cyware. "The Rise of BlackCat Ransomware: A Dark Tale of Cybercrime | Cyware | Research and Analysis". Cyware Labs. Retrieved 2023-07-26.
  13. "The Week in Ransomware - June 23rd 2023 - The Reddit Files". BleepingComputer. Retrieved 2023-07-25.
  14. Hay Newman, Lily (Dec 19, 2023). "A Major Ransomware Takedown Suffers a Strange Setback". Wired. Archived from the original on Dec 20, 2023.
  15. "Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant". U.S. Department of Justice. Dec 19, 2023.
  16. "US offers up to $15 million for tips on ALPHV ransomware gang". BleepingComputer. Retrieved 2024-02-20.
  17. Shi, Stacy (3 May 2024). "Consumer Council's security weaknesses blamed for leak". The Standard. Retrieved 3 May 2024.
  18. Lakshmanan, Ravie (Jul 3, 2023). "BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising". The Hacker News. Retrieved 2023-07-25.
  19. "BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration". Security Intelligence. Retrieved 2023-07-25.
  20. 1 2 Page, Carly (2023-10-03). "Motel One says ransomware gang stole customer credit card data". TechCrunch. Retrieved 2023-10-03.
  21. Siddiqui, Zeba; Satter, Raphael; Satter, Raphael (2023-09-22). "'Power, influence, notoriety': The Gen-Z hackers who struck MGM, Caesars". Reuters. Retrieved 2023-10-03.
  22. "Hackers tied to Las Vegas attacks known for sweet-talking their way into company systems". NBC News. 2023-09-15. Retrieved 2023-10-03.
  23. Brewer, Contessa; Goswami, Rohan (2023-09-14). "Caesars paid millions in ransom to cybercrime group prior to MGM hack". CNBC. Retrieved 2023-10-03.
  24. "UnitedHealth says 'Blackcat' ransomware group behind hack at tech unit". Reuters .

See also