The New Cat is a Sphynx

11523236857?profile=RESIZE_400xIf you keep feeding the local stray cat, it will never go away.  Like malware, if you don’t stomp it out, it keeps harassing you.  The threat actors behind BlackCat ransomware have developed an improved variant that prioritizes speed and stealth to bypass security guardrails and achieve their ransom objectives.  The new version, Sphynx, and announced in February 2023 and includes updated capabilities that strengthen the group's efforts to evade detection.  The "product" update was first highlighted by vx-underground in April 2023.  The new product detailed a Linux version of Sphynx focused primarily on its encryption routine.

BlackCat, also called ALPHV and Noberus, is the first Rust-language-based ransomware strain spotted in the wild.  Active since November 2021, it has emerged as a formidable ransomware actor, victimizing more than 350 targets as of May 2023.[1]

See:  https://redskyalliance.org/xindustry/the-blackcat-is-back

The group, like other Ransomware-as-a-Service (RaaS) offerings, is known to operate a double extortion scheme, deploying custom data exfiltration tools like ExMatter to siphon sensitive data before encryption.  Initial access to targeted networks is typically obtained through a network of actors called Initial Access Brokers (IABs), who employ off-the-shelf information stealer malware to harvest legitimate credentials.

BlackCat has also been observed to share overlaps with the now-defunct BlackMatter ransomware family, according to Cisco Talos and Kaspersky.  The latest findings provide a window into the ever-evolving cybercrime ecosystem wherein threat actors enhance their tooling and tradecraft to increase the likelihood of a successful compromise, not to mention thwart detection and evade analysis.

Specifically, the Sphynx version of BlackCat incorporates junk code and encrypted strings while also reworking the command line arguments passed to the binary.  Sphynx also incorporates a loader to decrypt the ransomware payload that, upon execution, performs network discovery activities to hunt for additional systems, deletes volume shadow copies, encrypts files, and finally drops the ransom note.

Despite law enforcement campaigns against cybercrime and ransomware groups, the continuous shift in tactics proves that BlackCat remains an active threat to organizations and has "no signs of winding down."  In a recent report, investigators described how the illicit financial proceeds associated with ransomware attacks have led to a "professionalization of cybercrime" and the advent of new supporting underground services. Many major ransomware groups are operating a service provider or RaaS model, where they supply tooling and expertise to affiliates and, in return, take a cut of the profits.

These profits have driven the rapid development of a service industry, providing all the tools and services that an up-and-coming threat group could need, and thanks to cryptocurrency and dark web routing services, the many different groups involved can buy and sell services and access their profits anonymously.

 

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

 

[1] https://thehackernews.com/2023/06/improved-blackcat-ransomware-strikes.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!