Rewterz Threat Alert – BlackCat Ransomware – Active IOCs

Severity

High

Analysis Summary

BlackCat – aka AlphaVM & AlphaV – is a Ransomware family that is deployed as a part of a Ransomware as a Service (RaaS). It is written in the Rust programming language and can run on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi.

This ransomware first appeared in November 2021. The majority of the group’s victims have been in the United States, although BlackCat and its associates have also targeted organizations in Europe, the Philippines, and other regions. Construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components, and medicines are among the targeted sectors of BlackCat ransomware. This ransomware can be set to encrypt files using either the AES or ChaCha20 algorithms. It can destroy volume shadow copies, terminate programs and services, and stop virtual machines on ESXi servers to maximize the quantity of ransomed data.

Impact

• File Encryption

Indicators of Compromise

MD5

• 662b63a7c275fb866172430b1e118f24
• b00b5eb046fe27f645b2a9b7aecc0205
• 0c4a0c871ebe8a24e8406f351606cd32

SHA-256

• b513784f39511ca285ceab332101299ab98255de46008902a7ab438d545cc2ef
• 326993f7e516c7a9608bb8bdc9a7ae162ca485f70a97ede3fd9ba137878c66e5
• e3ab77bd18631ec47eeaed44753cd9d55db0db7e5961f486f5963013656dc3df

SHA-1

• 280ee2fc68b59e0670ce069abb9b3a915dc11a00
• cade2b4fd89e611c335edacc749ddc33899b95f2
• f73f1cea4f873e9c6c105598f90af40a52a4b613

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Avoid downloading lnk files or unexpected email attachments from unreliable sources.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.