The new ransomware operation, which debuted in November 2021, has the potential to be the most sophisticated ransomware of the year, with a highly adjustable feature set that allows for assaults on a wide range of corporate setups. Details have emerged about what is the first Rust language based ransomware strain identified that has already amassed "some victims from different countries" since its launch last month.
The ransomware, now named BlackCat, was disclosed by MalwareHunterTeam https://malwarehunterteam, a free website that helps victims identify what ransomware may have been used to encrypt their files. "Victims can pay with Bitcoin or Monero," the researchers said in a series of tweets detailing the file-encrypting malware. "Also looks they are giving credentials to intermediaries" for negotiations. BlackCat or ALPHA BlackCat, like many other variants that have been seen before it, operates as a Ransomware-as-a-Service (RaaS), where the core developers recruit affiliates to breach corporate environments and encrypt files; but not before stealing the said documents in a double extortion scheme to pressure the targets into paying the requested amount or risk exposure of the stolen data should the companies refuse to pay up.
South Korean cybersecurity company S2W, in a separate analysis of BlackCat, reported the ransomware conducts its malicious actions by referring to an internal configuration like other RaaS programs, calling out its similarities with BlackMatter, another ransomware that emerged from the ashes of DarkSide in July 2021 only to sunset its activities in early November 2021.
While it is typical of ransomware groups to go quiet, regroup, and resurface under a new name, the researchers cautioned against calling BlackCat a BlackMatter rebrand, citing differences in the programming language used, the myriad execution options, and the dark web infrastructure maintained by the actor.
What’s Rust? Rust is described as a multi-paradigm, general-purpose programming language designed for performance and safety. Rust is syntactically like C++, but it can guarantee memory safety by using a borrow checker to validate references. Rust achieves memory safety without garbage collection, and reference counting is optional. Rust has been called a systems programming language and in addition to high-level features such as functional programming it also offers mechanisms for low-level memory management.
BlackCat, started on 04 December 2021, has been advertised on Russian-language underground markets like XSS and Exploit under the username "alphv" and as "ransom" on the RAMP forum in a bid to recruit other participants, including penetration testers, and join what it called "the next generation of ransomware."
The ransomware actor(s) is said to be operating five TOR domains, three of which function as the group's negotiation site, with the rest categorized as an "Alphv" public leak site and a private leak site. Only two victims have been identified to date, suggesting that the emerging ransomware is being actively deployed against companies in real-world attacks. "After information about the BlackCat ransomware and Alphv leak site was revealed on Twitter, they deleted all information of both two victims and added their warning message on Alphv leak site," S2W researchers noted.
The development signals a growing trend where threat actors are adopting lesser-known programming languages such as Dlang, Go, Nim, and Rust, to bypass security protections, evade analysis, and hamper reverse engineering efforts.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and offers pro-active solutions to protect your networks. Cyber intelligence is a needed key for your over-all cyber security. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings