BlackCat (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

elf.blackcat (Back to overview)

BlackCat

aka: ALPHV, Noberus

VTCollection

ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.

ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.

References

2023-12-03 ⋅ Twitter (@vxunderground) ⋅ VX-Underground
Tweet about ALPHV group compromising Tipalti to pressure its clients.
BlackCat BlackCat

2023-11-16 ⋅ CISA ⋅ CISA
Scattered Spider
BlackCat Ave Maria Raccoon Vidar

2023-07-13 ⋅ MSSP Lab ⋅ cocomelonc
Malware analysis report: BlackCat ransomware
BlackCat BlackCat

2023-05-30 ⋅ IBM Security ⋅ IBM Security X-Force Team
BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration
BlackCat BlackCat

2023-05-15 ⋅ CrowdStrike ⋅ CrowdStrike
Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversary Attacks
BlackCat SystemBC

2023-03-30 ⋅ United States District Court (Eastern District of New York) ⋅ Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader

2023-03-21 ⋅ Github (rivitna) ⋅ Andrey Zhdanov
BlackCat v3 Decryptor Scripts
BlackCat BlackCat

2022-09-28 ⋅ vmware ⋅ Giovanni Vigna
ESXi-Targeting Ransomware: The Threats That Are After Your Virtual Machines (Part 1)
Avoslocker Babuk Black Basta BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit Luna RansomEXX RedAlert Ransomware REvil

2022-09-22 ⋅ ComputerWeekly ⋅ Alex Scroxton
ALPHV/BlackCat ransomware family becoming more dangerous
BlackCat BlackCat FIN7

2022-08-22 ⋅ Microsoft ⋅ Microsoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk

2022-08-11 ⋅ SecurityScorecard ⋅ Robert Ames
The Increase in Ransomware Attacks on Local Governments
BlackCat BlackCat Cobalt Strike LockBit

2022-07-14 ⋅ Sophos ⋅ Andrew Brandt, Andy French, Bill Kearney, Elida Leite, Harinder Bhathal, Lee Kirkpatrick, Peter Mackenzie, Robert Weiland, Sergio Bestulic
BlackCat ransomware attacks not merely a byproduct of bad luck
BlackCat BlackCat

2022-06-29 ⋅ Group-IB ⋅ Andrey Zhdanov, Oleg Skulkin
Fat Cats - An analysis of the BlackCat ransomware affiliate program
BlackCat BlackCat

2022-06-07 ⋅ AdvIntel ⋅ Marley Smith, Vitali Kremez, Yelisey Boguslavskiy
BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive
BlackCat BlackCat Cobalt Strike

2022-06-01 ⋅ Jorge Testa ⋅ Jorge Testa
Killing The Bear - Alphv
BlackCat BlackCat

2022-05-11 ⋅ Kaspersky ⋅ GReAT
New ransomware trends in 2022
BlackCat Conti DEADBOLT DoubleZero LockBit PartyTicket StealBit

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-04-21 ⋅ Forescout ⋅ Vedere Labs
Analysis of an ALPHV incident
BlackCat

2022-04-08 ⋅ The Hacker News ⋅ Ravie Lakshmanan
Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity
BlackCat BlackMatter BlackCat BlackMatter

2022-04-07 ⋅ Kaspersky ⋅ GReAT
A Bad Luck BlackCat
BlackCat BlackCat

2022-03-27 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Hive ransomware ports its Linux VMware ESXi encryptor to Rust
BlackCat Hive Hive

2022-03-22 ⋅ The Register ⋅ Jeff Burt
This is a BlackCat you don't want crossing your path
BlackCat BlackMatter

2022-03-17 ⋅ Cisco ⋅ Caitlin Huey, Tiago Pereira
From BlackMatter to BlackCat: Analyzing two attacks from one affiliate
BlackCat BlackMatter BlackCat BlackMatter

2022-02-23 ⋅ Emsisoft ⋅ Senan Conrad
Ransomware Profile: ALPHV
BlackCat

2022-02-08 ⋅ Trellix ⋅ Arnab Roy
BlackCat Ransomware as a Service - The Cat is certainly out of the bag!
BlackCat BlackCat

2022-02-02 ⋅ ZDNet ⋅ Jonathan Greig
BlackCat ransomware implicated in attack on German oil companies
BlackCat BlackCat

2022-01-28 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Who Wrote the ALPHV/BlackCat Ransomware Strain?
BlackCat BlackCat

2022-01-26 ⋅ Intrinsec ⋅ Intrinsec
ALPHV ransomware gang analysis
BlackCat BlackCat

2021-12-21 ⋅ Twitter (@sisoma2) ⋅ sisoma2
BlackCat Ransomware Linux variant
BlackCat

Yara Rules

[TLP:WHITE] elf_blackcat_auto (20230808 | Detects elf.blackcat.)

rule elf_blackcat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects elf.blackcat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 0f0b 90 90 90 90 53 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   0f0b                 | mov                 eax, ebx
            //   90                   | mov                 eax, ebx
            //   90                   | jae                 0x15e6
            //   90                   | shr                 eax, 6
            //   90                   | mov                 edx, ebx
            //   53                   | and                 edx, 0x3f

        $sequence_1 = { 69c0???????? c1e811 6bf064 29f2 0fb7d2 }
            // n = 5, score = 200
            //   69c0????????         |                     
            //   c1e811               | mov                 dword ptr [esp + 0x58], 8
            //   6bf064               | dec                 eax
            //   29f2                 | lea                 edi, [0x121f94]
            //   0fb7d2               | dec                 eax

        $sequence_2 = { e8???????? 0f0b 90 53 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   0f0b                 | mov                 edi, dword ptr [ecx + 0x14]
            //   90                   | mov                 ebp, dword ptr [ecx + 0x18]
            //   53                   | mov                 ebx, dword ptr [ecx + 0xc]

        $sequence_3 = { 89c1 3d???????? 7319 c1e906 }
            // n = 4, score = 200
            //   89c1                 | mov                 ebp, dword ptr [esp + 0x84]
            //   3d????????           |                     
            //   7319                 | mov                 dword ptr [esi + 8], 0xffffffff
            //   c1e906               | cmp                 dword ptr [esi + 8], 0

        $sequence_4 = { 660f7f8424f0010000 660f7f8424e0010000 660f7f8424d0010000 660f7f8424c0010000 660f7f8424b0010000 }
            // n = 5, score = 200
            //   660f7f8424f0010000     | dec    eax
            //   660f7f8424e0010000     | cmp    eax, -1
            //   660f7f8424d0010000     | jne    0x22c
            //   660f7f8424c0010000     | dec    eax
            //   660f7f8424b0010000     | lea    esi, [esp + 0x20]

        $sequence_5 = { d1e9 01d1 c1e902 8d14cd00000000 }
            // n = 4, score = 200
            //   d1e9                 | mov                 esi, dword ptr [esp + 0x14]
            //   01d1                 | mov                 eax, edi
            //   c1e902               | lea                 edi, [ecx + edx]
            //   8d14cd00000000       | lea                 esi, [esi - 0x4b514]

        $sequence_6 = { b801000000 81f9???????? 0f823fffffff b802000000 }
            // n = 4, score = 200
            //   b801000000           | mov                 ecx, dword ptr [esp + 0x10]
            //   81f9????????         |                     
            //   0f823fffffff         | movsd               qword ptr [eax], xmm0
            //   b802000000           | mov                 dword ptr [eax + 8], edi

        $sequence_7 = { 69c0???????? c1e810 29c2 0fb7d2 d1ea }
            // n = 5, score = 200
            //   69c0????????         |                     
            //   c1e810               | dec                 eax
            //   29c2                 | mov                 esi, dword ptr [esp + 0x20]
            //   0fb7d2               | dec                 eax
            //   d1ea                 | mov                 dword ptr [esp + 0x58], 3

        $sequence_8 = { 762a 0fb6c8 8d1489 8d0cd1 }
            // n = 4, score = 200
            //   762a                 | mov                 ebx, dword ptr [esp + 0x138]
            //   0fb6c8               | dec                 eax
            //   8d1489               | mov                 eax, dword ptr [esp + 0xe0]
            //   8d0cd1               | mov                 cl, 1

        $sequence_9 = { e8???????? 0f0b e8???????? 0f0b 90 90 90 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   0f0b                 | dec                 ecx
            //   e8????????           |                     
            //   0f0b                 | mov                 dword ptr [ecx], eax
            //   90                   | dec                 ecx
            //   90                   | mov                 dword ptr [ecx + 8], ebx
            //   90                   | dec                 ecx

    condition:
        7 of them and filesize < 8011776
}

Download all Yara Rules

BlackCat Propose Change

References

Yara Rules

BlackCat