Enhanced BlackCat Ransomware Attack with Lightning Speed ​​and Stealthy Tactics


June 01, 2023Ravie LakshmananEndpoint Security / Encryption


The threat actors behind the BlackCat ransomware have come up with an improved variant that prioritizes speed and stealth in an attempt to cross the security fence and reach their goals.

New version, dubbed Sphinx and announced in February 2023, packing “a number of updated capabilities that strengthen the group’s efforts to evade detection,” IBM Security X-Force said in a new analysis.

The “product” update is first highlighted by vx-underground in April 2023. Trend Micro, last month, detailed a Linux version of Sphynx that “focuses mainly on its encryption routine”.

BlackCat, also called ALPHV and Noberus, is the first Rust language-based ransomware strain seen in the wild. Active since November 2021, he has emerged as a formidable ransomware actor, victim more than 350 targets as of May 2023.

The group, like other ransomware-as-a-service (RaaS) offerings, is known to operate multiple blackmail schemes, using specialized data exfiltration tools such as ExMatter to siphoning sensitive data before encryption.

Initial access to a targeted network is typically obtained through a network of attackers called initial access brokers (IAB), which use ready-made information-stealing malware to retrieve legitimate credentials.

BlackCat Ransomware

BlackCat has also been observed sharing overlap with the now-defunct BlackMatter ransomware family, according to Cisco Talos and Kaspersky.

These findings provide a window into the ever-evolving cybercrime ecosystem where threat actors are leveraging their tools and trades to increase the likelihood of successful compromises, not to mention thwart detection and evade analysis.

Specifically, the Sphynx version of BlackCat combines garbage code and encrypted strings, while also reworking command line arguments passed to the binary.

Sphynx also incorporates an loader to decrypt the ransomware payload which, once executed, performs network discovery activities to search for additional systems, delete volume shadow copies, encrypt files, and finally delete the ransom note.


🔐 Mastering API Security: Understanding Your True Attack Surface

Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!

Join a Session

Despite law enforcement campaigns against cybercrime groups and ransomware, the constant change of tactics is proof that BlackCat remains an active threat to the organization and has “no sign of stopping”.

Source: WithSecure

Finnish cybersecurity company WithSecure, in a recent study, explained how the illicit financial results associated with ransomware attacks have led to a “professionalization of cybercrimes” and the emergence of new support underground services.

“Many large ransomware groups operate a service provider or RaaS model, in which they provide tools and expertise to affiliates, and in return take profits,” the company said.

“These advantages have fueled the rapid development of the services industry, providing all the tools and services needed by up-and-coming threat groups, and thanks to dark web routing services and cryptocurrencies, the many different groups involved can buy and sell services anonymously, and access their profits. .”

Found this article interesting? Follow us on Twitter And LinkedIn to read more exclusive content we post.


Source link

Related Articles

Back to top button