In the last few weeks the BlackCat (also known as AlphaV, AlphaVM or ALPHV) ransomware team have been making news in the cybersecurity world; however, this might not be for the reasons you think. In this article we will look into BlackCat and whether, as Cicero said, there is honor among thieves.

Who are BlackCat?

First spotted in late 2021 by researchers from MalwareHunterTeam, BlackCat rapidly rose to prominence. Of particular note is the fact that the BlackCat ransomware is considered to be the first ransomware to be written in the Rust coding language; Rust is a cross-platform language, which means that the ransomware strain can be applied across different operating systems with relative ease, broadening the pool of potential victims significantly.

There is speculation that the author of the ransomware strain, known as ALPHV, was once associated with the REvil ransomware team (the perpetrators of the Colonial Pipeline attack who were then hacked & shut down by the FBI in co-operation with various other organisations in late October 2021). Further speculation implies that BlackCat are based in Russia, or at least are Russian-speaking; however it should be noted that Russian is a lingua franca on many hacking and cyber-crime forums so this may not be a definitive method of identifying the nationality of the group.

The team frequently appeared on lists of the most dangerous ransomware teams operating globally, with the DOJ stating “Over the past 18 months, ALPHV/Blackcat has emerged as the second most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world.”

In December 2023 the team was hampered by their negotiation and data leak sites being taken offline by law enforcement agencies; however, a matter of days later, the ransomware gang regained control of their servers and continued to operate (also loosening restrictions they had previously held regarding not attacking critical infrastructure targets such as hospitals).

How do they operate?

As mentioned above, the code for the BlackCat ransomware strain is written in Rust. Rust is a cross-platform language, which means it is designed to work across different computing platforms. As opposed to other ransomware strains which are written in platform-specific languages (that is, languages designed to only work on one platform, such as C# or Golang), BlackCat can (with some basic modifications) infect multiple operating systems.

BlackCat operated as a Ransomware-as-a-Service model, a model similar to the Software-as-a-Service operated by many businesses. In effect, this means that BlackCat held the responsibility for creating, maintaining and updating the ransomware code, also offering a dashboard or platform that affiliates could use to customise the ransomware package, as well as maintaining payment portals that the victims would use to pay the ransom (after which BlackCat would distribute the payment, less their fee, to the affiliate). Affiliates benefited greatly from this model as they do not need the technical expertise to create a ransomware. Additionally, BlackCat took a much smaller fee compared to other RaaS providers at the time.

It appears that infection usually began with infection through the Emotet malware (which used spam email as its dominant method of spreading) to provide initial access to a network.

BlackCat were known to operate a double, or even triple, extortion methodology. This means that not only did they encrypt the data of the victim (single extortion), but they would also threaten to release the data publicly if the ransom was not paid (double extortion). Furthermore, they would sometimes threaten to launch Distributed-Denial-of-Service attacks (also known as DDos, whereby they would flood a victim’s website or service with requests, usually originating from botnets, in order to cause it to be unable to operate) against the victim (triple extortion).

Notable victims

BlackCat have been incredibly prolific since their first emergence in November 2021 (the nature of the RaaS model allows for many more attacks than a traditional ransomware operation can logistically handle) with many victims and many millions paid to them and their affiliates in ransom (usually in the Monero or Bitcoin cryptocurrencies). Below are outlined some of the highest profile attacks carried out.

Moncler: the Italian luxury brand found themselves in the ignominious position of being one of the first high-profile victims of the BlackCat gang. At the very end of 2021 the company suffered a 10-day outage to its IT services. The company declined to pay the requested ransom of $3,000,000 (three million US dollars), resulting in their data being shared online by BlackCat, exposing both internal and customer data.

State of Carinthia: in May 2022 the Austrian federal state of Carinthia found itself at the mercy of BlackCat. The ransomware locked thousands of workstations across the state, causing significant disruption to government services including COVID-19 testing stations and passport issuing services. While a ransom of $5,000,000 (five million US dollars) was demanded, the state took the decision not to pay the ransom and instead to restore their services from backups.

Gestore dei Servizi Energetici SpA: GSE, a state-owned agency to promote and support the use of renewable energy sources in the country of Italy, found itself falling victim to BlackCat in late August 2022. According to a spokesman, GSE took their website and internal systems offline after detecting suspicious activity in order to prevent access to their data; however, the BlackCat release page claimed to have extracted 700GB of data.

Reddit: in February 2023 BlackCat managed to work their way into the corporate servers belong to the social network Reddit. A spokesperson for Reddit stated that the infection was the result of a sophisticated phishing campaign. BlackCat claimed to have exfiltrated about 80GB of corporate data, including source code. They requested a ransom of $4,500,000 (four and a half million US dollars), in addition to demanding that Reddit repeal a controversial change to their API policy.

Recent events

The most recent events in BlackCat’s storied history are those that are most intriguing. After their brief dance with law enforcement at the tail end of 2023, BlackCat lifted the embargo on their affiliates attacking critical infrastructure. This resulted in the recently publicised attack on Change Healthcare, a subsidiary of US health insurance megalith UnitedHealth. This attack caused significant disruption across healthcare providers in the United States; furthermore, BlackCat claimed to have accessed and stolen the confidential medical information of millions of Americans. Ultimately, the post regarding this attack was taken down from BlackCat’s release page, which is usually an indicator that a ransom has been paid (or at the very least that the victim is engaging in negotiations).

Thus far this story does not seem to be particularly different to any other attack carried out by BlackCat, but events soon took an unprecedented turn. Researchers monitoring a cryptocurrency wallet address known to be used by the team for receiving ransom payments say a payment of $22,000,000 (22 million US dollars) has arrived. The usual modus operandi for BlackCat would be to then disburse payment to their affiliate after the affiliate has provided a decryption key to the victim. However, in this case, things turned out rather differently. Not long after this payment was received, a banner appeared on the BlackCat page claiming that the site had been seized by law enforcement agencies. However, the mentioned agencies all deny this action. It would appear that BlackCat themselves put up this banner and have, in essence, run away with the ill-gotten gains. This is reinforced by some (now deleted) posts on a cybercriminal forum originating from the self-purported affiliate who carried out the attack on Change Healthcare – claiming that they had not received their promised payment.

All in all it appears that, perhaps, there is indeed no honour among thieves. Alternatively, BlackCat may have been swayed by the allegations that this affiliate is linked to Chinese state-sponsored groups. Perhaps it is as simple as their defence puts it – they have in fact been victim of law enforcement operations. For now the situation remains muddied, but some things are almost certain. Ransomware is still a significant risk to enterprises. BlackCat may be gone, but almost certainly not for long (whether under a new name or not, they will likely re-emerge).

References

MalwareHunterTeam tweet:https://twitter.com/malwrhunterteam/status/1468713125457371139
TrendMicro - BlackCat summary: https://www.trendmicro.com/vinfo/gb/security/news/ransomware-spotlight/ransomware-spotlight-blackcat
BleepingComputer - Moncler: https://www.bleepingcomputer.com/news/security/fashion-giant-moncler-confirms-data-breach-after-ransomware-attack/
BleepingComputer - Carinthia: https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-asks-5-million-to-unlock-austrian-state/
CrowdStrike - RaaS: https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/
The Verge - BlackCat takedown: https://www.theverge.com/2023/12/19/24008093/alphv-blackcat-ransomware-gang-site-seized-fbi-doj
Reuters - REvil takedown: https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/
BleepingComputer - GSE: https://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-attack-on-italian-energy-agency/
The Register - Reddit: https://www.theregister.com/2023/06/20/reddit_confirms_blackcat_extortion_attempt/
TEchCrunch - Change Healthcare: https://techcrunch.com/2024/02/29/unitedhealth-change-healthcare-ransomware-alphv-blackcat-pharmacy-outages/
Menlo Security Swindled affiliate: https://www.menlosecurity.com/blog/swindled-blackcat-affiliate-wants-money-from-change-healthcare-ransom
The Hacker News - Exit Scam: https://thehackernews.com/2024/03/exit-scam-blackcat-ransomware-group.html?_m=3n.009a.3297.io0ao44blc.2ap6

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.