Rewterz Threat Alert – BlackCat Ransomware Increasing Stakes Up To $2,5M In Demands – Active IOCs

Severity

High

Analysis Summary

BlackCat – aka AlphaVM & AlphaV – is a Ransomware family that is deployed as a part of a Ransomware as a Service (RaaS). It is written in the Rust programming language and can run on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi.
This ransomware first appeared in November 2021. The majority of the group’s victims have been in the United States, although BlackCat and its associates have also targeted organizations in Europe, the Philippines, and other regions. Construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components, and medicines are among the targeted sectors of BlackCat ransomware. This ransomware can be set to encrypt files using either the AES or ChaCha20 algorithms. It can destroy volume shadow copies, terminate programs and services, and stop virtual machines on ESXi servers to maximize the quantity of ransomed data.

Researchers have seen a notable rise in the amount demanded as ransom by this Blackcat ransomware group. This ransomware group competes with other renowned ransomware such as Conti and Lockbit 3.0. They included a sophisticated search feature using stolen victim passwords, and private documents exposed on the TOR network.

Based on recently compromised victims in the Nordic region (not yet publicized by the group), the sum to be reimbursed surpasses $2 million. When the victim is willing to pay, one of the strategies employed gives a discount of about 50%. The average ransom demand made by BlackCat climbed to $2.5 million.
According to the most recent forecast, worldwide ransomware extortion activities would reach $265 billion by 2031, and business losses will top $10,5 trillion globally. These statistics show that ransomware is the greatest shadow economy on the globe as they are producing more financial losses than natural catastrophes.

Impact

• File Encryption
• Data Theft

Indicators Of Compromise

MD5

• 7a34b6a3c558492c04f3418d726b86a8
• ccde3fe374a219ed3a85a0bf548542c3
• 70b8bc74f381c9d7d1016006c3950f85
• 51826408514057db47c0bbbffb2c581d
• c1dd3d5a3528bf56632200d247ca9774
• c6901bc6720e1e30c6c2e89aae874a90

SHA-256

• f815f5d6c85bcbc1ec071dd39532a20f5ce910989552d980d1d4346f57b75f89
• c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40
• 4e18f9293a6a72d5d42dad179b532407f45663098f959ea552ae43dbb9725cbf
• 1af1ca666e48afc933e2eda0ae1d6e88ebd23d27c54fd1d882161fd8c70b678e
• 15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
• 13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31

SHA-1

• 45212fa4501ede5af428563f8043c4ae40faec76
• c1187fe0eaddee995773d6c66bcb558536e9b62c
• 655c2567650d2c109fab443de4b737294994f1fd
• ce5540c0d2c54489737f3fefdbf72c889ac533a9
• 89060eff6db13e7455fee151205e972260e9522a
• 783b2b053ef0345710cd2487e5184f29116e367c

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicator of compromise (IOCs)  in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implement patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.