Microsoft has identified a new iteration of the BlackCat ransomware that incorporates the Impacket networking framework and the Remcom hacking tool. These additions enable the ransomware to spread laterally within compromised networks.
Incorporation of Impacket Tool
The updated BlackCat ransomware now includes the open-source communication framework tool, Impacket. This tool is utilized by threat actors to aid in lateral movement within target environments. As Microsoft stated on X (Twitter), “The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments.”
Embedding of Remcom Hacktool
Further, this version of BlackCat has the Remcom hacktool embedded directly in its executable. This tool allows for remote code execution. Additionally, the file contains hardcoded credentials from compromised targets. These credentials are used by the actors for lateral movement and further deployment of the ransomware. As mentioned in the official announcement, “This BlackCat version also has the Remcom hacktool embedded in the executable for remote code execution. The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment.”
Microsoft has observed a new version of the BlackCat ransomware being used in recent campaigns. This version includes the open-source communication framework tool Impacket, which threat actors use to facilitate lateral movement in target environments.
— Microsoft Threat Intelligence (@MsftSecIntel) August 17, 2023
Ransomware as a Service Offering
Operated under the ransomware-as-a-service (RaaS) model by the Russian-speaking cybercrime syndicate ALPHV, BlackCat, also known as “Noberus” was first identified in November 2021. It quickly gained notoriety, becoming one of the most advanced and menacing malware threats of both 2021 and 2022.
Interestingly, BlackCat's activity saw a significant decline in late 2022, with a 28% decrease in reported infections. This malware stands out as the inaugural major malware coded in the Rust programming language. Rust is gaining traction in the tech community for its impressive performance and memory safety features. Moreover, BlackCat showcases its versatility by being able to infiltrate both Windows and Linux operating systems.
The modus operandi of BlackCat is particularly alarming. It employs a three-pronged extortion strategy: demanding ransoms for decrypting infected files, threatening to release stolen data, and warning of potential denial of service (DoS) attacks. Between November 2021 and September 2022, approximately 200 enterprise organizations fell victim to BlackCat. Predominantly, its targets have been firms in the financial, manufacturing, legal, and professional services sectors. However, no industry remains untouched by BlackCat's reach.
Further investigations have revealed connections between BlackCat and other ransomware strains, namely BlackMatter and DarkSide, in terms of source code and user base. The operators behind BlackCat have been actively recruiting on clandestine platforms like XSS, Exploit Forum, and RAMP5 in the darknet, seeking new affiliates to expand their malevolent network.
Protection and Mitigation Measures
Microsoft 365 Defender is equipped to detect malicious activities and components linked to BlackCat ransomware attacks. By enabling attack surface reduction rules, users can prevent common attack techniques. For detailed information on detection coverage, mitigation, and hunting guidance related to BlackCat and associated ransomware families, Microsoft directs its customers to their official platforms: Microsoft Defender Threat Intelligence and Microsoft 365 Defender.
