It has been quite an exciting month for law enforcement targeting malicious cyber actors around the world.
U.S. and German authorities shutdown Hydra Market, the largest darknet marketplace in the world. The Department of Justice (DOJ) disrupted a Russia-linked botnet known as Cyclops Blink. The DOJ also arrested the admin of RaidForums, another popular marketplace for cybercriminals to conduct their illicit business.
While the fight against cybercrime can seem like an impossibly huge challenge to overcome—and if we're being honest, it really is—these victories over cybercriminals will continue to add up and make a difference in the long run.
As part of the effort to combat cybercrime, the FBI issued a FLASH warning, asking for anyone to share information such as known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with ransomware variants, specifically BlackCat ransomware.
Technical details of BlackCat ransomware
BlackCat/ALPHV is a ransomware-as-a-service (RaaS) that has compromised over 60 organizations around the world, according to the FBI.
It is the first ransomware group to successfully use RUST, a programming language considered to be more secure than others and offers improved performance and reliable concurrent processing.
The affiliated threat actors usually request ransom payments of millions of dollars in cryptocurrency, but often end up accepting payments of much less than the initial demand. Many of the threat actors have been linked to the Darkside and Blackmatter groups, indicating extensive experience when it comes to ransomware operations.
The FBI provides some technical details of the group:
"BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim system. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial deployment of the malware leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim's network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise.
BlackCat/ALPHV steals victim data prior to the execution of the ransomware, including from cloud providers where company or client data was stored. The actors leverage Windows scripting to deploy ransomware and to compromise additional hosts. For example, the following batch and PowerShell scripts were observed:
- start.bat – launches the ransomware executable with required arguments
- est.bat – copies the ransomware to other locations
- drag-and-drop-target.bat – launches the ransomware executable for the MySQL Server
- run.bat – executes a callout command to an external server using SSH - file names may change depending on the company and systems affected
- Runs1.ps1 – PowerShell script to disable McAfee"
To learn more about IOCs and recommended mitigations, read the entire FLASH warning from the FBI.