1. Home
  2. Software
  3. BlackCat

BlackCat

BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, BlackCat has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.[1][2][3]

ID: S1068
Associated Software: ALPHV, Noberus
Type: MALWARE
Platforms: Linux, Windows
Contributors: Hiroki Nagahama, NEC Corporation; Josh Arenas, Trustwave Spiderlabs; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India
Version: 1.0
Created: 28 February 2023
Last Modified: 15 June 2023
Version Permalink

Associated Software Descriptions

Name Description
ALPHV

[1][3]
Noberus

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

BlackCat can bypass UAC to escalate privileges.[1]

Enterprise T1134 Access Token Manipulation

BlackCat has the ability modify access tokens.[1][2]
Enterprise T1087 .002 Account Discovery: Domain Account

BlackCat can utilize net use commands to identify domain users.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

BlackCat can execute commands on a compromised network with the use of cmd.exe.[1]
Enterprise T1486 Data Encrypted for Impact

BlackCat has the ability to encrypt Windows devices, Linux devices, and VMWare instances.[1]
Enterprise T1491 .001 Defacement: Internal Defacement

BlackCat can change the desktop wallpaper on compromised hosts.[1][2]
Enterprise T1561 .001 Disk Wipe: Disk Content Wipe

BlackCat has the ability to wipe VM snapshots on compromised networks.[1][2]
Enterprise T1083 File and Directory Discovery

BlackCat can enumerate files for encryption.[1]
Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

BlackCat can use Windows commands such as fsutil behavior set SymLinkEvaluation R2L:1 to redirect file system access to a different location after gaining access into compromised networks.[1]
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

BlackCat can clear Windows event logs using wevtutil.exe.[1]
Enterprise T1490 Inhibit System Recovery

BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.[1]
Enterprise T1570 Lateral Tool Transfer

BlackCat can replicate itself across connected servers via psexec.[1]
Enterprise T1112 Modify Registry

BlackCat has the ability to add the following registry key on compromised networks to maintain persistence: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Paramenters[1]
Enterprise T1135 Network Share Discovery

BlackCat has the ability to discover network shares on compromised networks.[1][2]
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

BlackCat can determine if a user on a compromised host has domain admin privileges.[1]
Enterprise T1018 Remote System Discovery

BlackCat can broadcasts NetBIOS Name Service (NBNC) messages to search for servers connected to compromised networks.[1]
Enterprise T1489 Service Stop

BlackCat has the ability to stop VM services on compromised networks.[1][2]
Enterprise T1082 System Information Discovery

BlackCat can obtain the computer name and UUID, and enumerate local drives.[1]
Enterprise T1033 System Owner/User Discovery

BlackCat can utilize net use commands to discover the user name on a compromised host.[1]
Enterprise T1047 Windows Management Instrumentation

BlackCat can use wmic.exe to delete shadow copies on compromised networks.[1]

Groups That Use This Software

ID Name References
G1015 Scattered Spider

Scattered Spider has deployed BlackCat ransomware to victim environments for financial gain.[4][5]

References

  1. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
  2. Brandt, Andrew. (2022, July 14). BlackCat ransomware attacks not merely a byproduct of bad luck. Retrieved December 20, 2022.
  3. Australian Cyber Security Centre. (2022, April 14). 2022-004: ACSC Ransomware Profile - ALPHV (aka BlackCat). Retrieved December 20, 2022.
  1. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  2. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.