Share this article on:
The Federal Bureau of Investigation (FBI) has issued a TLP: WHITE flash alert about the BlackCat ransomware-as-a-service (RaaS) operation. BlackCat, also known as ALPHAV, was launched in November 2021. It was launched shortly after the shutdown of the BlackMatter ransomware operation, which was a rebrand of DarkSide. Darkside was behind the ransomware attack on the Colonial Pipeline. A member of the operation has claimed they are a former affiliate of BlackMatter/DarkSide that branched out on their own. However, it is more likely that BlackCat is simply a rebrand of BlackMatter/DarkSide.
The FBI said many of the developers and money launderers involved with the BlackCat operation have been linked to DarkSide/BlackMatter, which indicates they have extensive networks and considerable experience with running RaaS operations. The BlackCat RaaS operation has not been active for long, but the group has already claimed at least 60 victims worldwide. BlackCat typically targets large organizations and demands ransom payments of several million dollars in Bitcoin or Monero, although the group does appear willing to negotiate payments with victims.
Unusually for ransomware, it is written in RUST, which is considered to be a more secure programming language that ensures better performance and concurrent processing. Initial access to networks is usually gained using previously compromised credentials, and once access is gained, Active Directory user and administrator accounts are compromised. The ransomware executable is highly customizable and allows attacks on a wide range of corporate environments, it supports multiple encryption methods, and can disable security features on victim networks.
The group uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy the ransomware, initially using PowerShell scripts and Cobalt Strike. Windows administrative tools and Microsoft Sysinternals tools are also used during compromise. Prior to encrypting files, victim data is stolen, including from cloud providers. Threats are then issued to publish the stolen data on the leak site if the ransom is not paid. In the flash alert, the FBI has shared indicators of compromise (IoCs) and mitigation measures that should be adopted to improve security and make it harder for attacks to succeed.
As with all ransomware attacks, the FBI recommends not paying the ransom as there is no guarantee that files will be recovered, payment does not prevent further attacks, and there is no guarantee that any data stolen in the attack will not be published, stolen, or misused. However, the FBI accepts that payment of the ransom may be the only option in some cases to protect customers, patients, employees, and shareholders.
Regardless of whether or not the ransom is paid, the FBI has requested victims report attacks to their local FBI field office. The FBI has requested IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.