The threat actors behind the BlackCat ransomware have come up with an improved variant that prioritizes speed and stealth in an attempt to cross the security fence and reach their goals.
New version, dubbed Sphinx and announced in February 2023, packing “a number of updated capabilities that strengthen the group’s efforts to evade detection,” IBM Security X-Force said in a new analysis.
BlackCat, also called ALPHV and Noberus, is the first Rust language-based ransomware strain seen in the wild. Active since November 2021, he has emerged as a formidable ransomware actor, victim more than 350 targets as of May 2023.
The group, like other ransomware-as-a-service (RaaS) offerings, is known to operate multiple blackmail schemes, using specialized data exfiltration tools such as ExMatter to siphoning sensitive data before encryption.
Initial access to a targeted network is typically obtained through a network of attackers called initial access brokers (IAB), which use ready-made information-stealing malware to retrieve legitimate credentials.
BlackCat has also been observed sharing overlap with the now-defunct BlackMatter ransomware family, according to Cisco Talos and Kaspersky.
These findings provide a window into the ever-evolving cybercrime ecosystem where threat actors are leveraging their tools and trades to increase the likelihood of successful compromises, not to mention thwart detection and evade analysis.
Specifically, the Sphynx version of BlackCat combines garbage code and encrypted strings, while also reworking command line arguments passed to the binary.
Sphynx also incorporates an loader to decrypt the ransomware payload which, once executed, performs network discovery activities to search for additional systems, delete volume shadow copies, encrypt files, and finally delete the ransom note.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
Despite law enforcement campaigns against cybercrime groups and ransomware, the constant change of tactics is proof that BlackCat remains an active threat to the organization and has “no sign of stopping”.
Finnish cybersecurity company WithSecure, in a recent study, explained how the illicit financial results associated with ransomware attacks have led to a “professionalization of cybercrimes” and the emergence of new support underground services.
“Many large ransomware groups operate a service provider or RaaS model, in which they provide tools and expertise to affiliates, and in return take profits,” the company said.
“These advantages have fueled the rapid development of the services industry, providing all the tools and services needed by up-and-coming threat groups, and thanks to dark web routing services and cryptocurrencies, the many different groups involved can buy and sell services anonymously, and access their profits. .”