HomeWinBuzzer NewsMicrosoft Warns of New BlackCat Ransomware Version

Microsoft Warns of New BlackCat Ransomware Version

The updated BlackCat ransomware now includes the Impacket tool, which is used by bad actors to help them move around inside the computer systems they're targeting.


has identified a new iteration of the BlackCat that incorporates the Impacket networking framework and the Remcom hacking tool. These additions enable the ransomware to spread laterally within compromised networks.

Incorporation of Impacket Tool

The updated BlackCat ransomware now includes the open-source communication framework tool, Impacket. This tool is utilized by threat actors to aid in lateral movement within target environments. As Microsoft stated on X (Twitter), “The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments.”

Embedding of Remcom Hacktool

Further, this version of BlackCat has the Remcom hacktool embedded directly in its executable. This tool allows for remote code execution. Additionally, the file contains hardcoded credentials from compromised targets. These credentials are used by the actors for lateral movement and further deployment of the ransomware. As mentioned in the official announcement, “This BlackCat version also has the Remcom hacktool embedded in the executable for remote code execution. The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment.”

Ransomware as a Service Offering

Operated under the ransomware-as-a-service (RaaS) model by the Russian-speaking syndicate ALPHV, BlackCat, also known as “Noberus” was first identified in November 2021. It quickly gained notoriety, becoming one of the most advanced and menacing malware threats of both 2021 and 2022.

Interestingly, BlackCat's activity saw a significant decline in late 2022, with a 28% decrease in reported infections. This malware stands out as the inaugural major malware coded in the Rust programming language. Rust is gaining traction in the tech community for its impressive performance and memory safety features. Moreover, BlackCat showcases its versatility by being able to infiltrate both Windows and Linux .

The modus operandi of BlackCat is particularly alarming. It employs a three-pronged extortion strategy: demanding ransoms for decrypting infected files, threatening to release stolen data, and warning of potential denial of service (DoS) attacks. Between November 2021 and September 2022, approximately 200 enterprise organizations fell victim to BlackCat. Predominantly, its targets have been firms in the financial, manufacturing, legal, and professional services sectors. However, no industry remains untouched by BlackCat's reach.

Further investigations have revealed connections between BlackCat and other ransomware strains, namely BlackMatter and DarkSide, in terms of source code and user base. The operators behind BlackCat have been actively recruiting on clandestine platforms like XSS, Exploit Forum, and RAMP5 in the darknet, seeking new affiliates to expand their malevolent network.

Protection and Mitigation Measures

Microsoft 365 Defender is equipped to detect malicious activities and components linked to BlackCat ransomware attacks. By enabling attack surface reduction rules, users can prevent common attack techniques. For detailed information on detection coverage, mitigation, and hunting guidance related to BlackCat and associated ransomware families, Microsoft directs its customers to their official platforms: Microsoft Defender Threat Intelligence and Microsoft 365 Defender.

Markus Kasanmascheff
Markus Kasanmascheff
Markus is the founder of WinBuzzer and has been playing with Windows and technology for more than 25 years. He is holding a Master´s degree in International Economics and previously worked as Lead Windows Expert for Softonic.com.

Recent News