The new ALPHV ransomware operation, also known as BlackCat, could be the most sophisticated ransomware of 2021, with highly-customizable features that allow attacks in many environments.
The executable Ransomware is written in Rust, which is very atypical for malware developers, but due to its high performance and memory security is gaining in importance.
The Ransomware is referred to by its developers as ALPHV and enjoys increasing popularity in Russian hacker forums.
MalwareHunterTeam called the ransomware BlackCat because the same favicon of a black cat is used on each victim’s Tor payment site, while the data leak site utilizes a dagger dripping with blood.
Like all Ransomware-as-a-service (RaaS) operations, the ALPHV BlackCat operators cooperate for their activities with affiliates. In return, the affiliates earn varying revenue shares depending on the actual ransom demand.
ALPHV BlackCat can also be configured with domain credentials that are used to distribute the Ransomware from the infected device and encrypt other devices in the network. The executable program then extracts PSExec in the %Temp% folder and uses it to copy the ransomware to other devices in the network and execute it to encrypt the remote Windows machine.
When starting the Ransomware, the affiliate can use a console-based user interface that allows it to closely observe the course of the attack.
ALPHV BlackCat also uses the Windows Restart Manager API to shut down processes and Windows services while keeping a file open for the encryption process.
In addition, BlackCat is capable of carrying out cross-platform attacks, with support for multiple operating systems.
Operating systems on which the Ransomware Group has tested their Ransomware include:
- All Windows lines 7 and higher (tested on 7, 8.1, 10, 11; 2008r2, 2012, 2016, 2019, 2022); XP and 2003 can be encrypted via SMB.
- ESXI (tested on 5.5, 6.5, 7.0.2u)
- Debian (tested on 7, 8, 9);
- Ubuntu (tested on 18.04, 20.04)
- ReadyNAS, Synology
Ransomware expert and ID Ransomware creator Michael Gillespie has examined the encryption routine of the Ransomware and could not discover any vulnerabilities that could allow a free decryption. That is how sophisticated BlackCat is.
ALPHV, similar to other ransomware groups, employs a triple-extortion tactic, in which they first commit data theft, before they encrypt devices and threaten to release the data, if no ransom is paid.
Ransoms usually range between $400,000 to $3 million payable in Bitcoin or Monero. Victims who settle in Bitcoin must pay an additional fee of 15% in addition to the ransom.