Exploring the (Not So) Secret Code of Black Hunt Ransomware | Rapid7 Blog

MITRE Techniques

• [T1106] Native API – The ransomware may execute its malicious activities by interacting with system APIs. “Native API (T1106)”
• [T1053.005] Scheduled Task – Black Hunt sets persistence by creating scheduled tasks to execute the malware upon system startup using the command. “Black Hunt sets persistence by creating scheduled tasks to execute the malware upon system startup using the command”
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Modifies the Windows Registry to establish persistence, ensuring it runs automatically upon system startup. “Modifies the Windows Registry to establish persistence, ensuring it runs automatically upon system startup.”
• [T1548.002] Bypass User Account Control – Black Hunt grants itself elevated privileges without user intervention by modifying registry values: EnableLUA and EnableLinkedConnections. “Black Hunt grants itself elevated privileges without user intervention by modifying registry values: EnableLUA and EnableLinkedConnections.”
• [T1134] Access Token Manipulation – Black Hunt manipulate access tokens, granting itself privileges to perform various actions on the system. “Black Hunt manipulate access tokens, granting itself privileges to perform various actions on the system”
• [T1112] Modify Registry – Modifies registry keys to disable security features, alter system configurations, and establish persistence. “Modifies registry keys to disable security features, alter system configurations, and establish persistence.”
• [T1562.001] Impair Defenses: Disable or Modify Tools – Black Hunt disables security tools to avoid possible detection of their malware/tools and activities. “Black Hunt disables security tools to avoid possible detection of their malware/tools and activities”
• [T1070.004] File Deletion – Black Hunt empties the Windows Recycle Bin to permanently delete files and prevent recovery attempts. “Black Hunt empties the Windows Recycle Bin to permanently delete files and prevent recovery attempts.”
• [T1070.001] Indicator Removal on Host: Clear Windows Event Logs – The ransomware clears Windows Event Logs to erase evidence. “The ransomware clears Windows Event Logs to erase evidence.”
• [T1562.009] Safe Mode Boot – Black Hunt disable endpoint defenses. “Black Hunt disable endpoint defenses”
• [T1564.003] Hide Artifacts: Hidden Window – Black Hunt uses a hidden window to conceal malicious activity from the plain sight of users. “Black Hunt uses a hidden window to conceal malicious activity from the plain sight of users.”
• [T1046] Network Service Discovery – Black Hunt lists services running on the local network. “Network Service Discovery (T1046) … lists services running on the local network”
• [T1614.001] System Language Discovery – Black Hunt gather information about the system language of a host in order to infer the geographical location of that host. “System Location Discovery: System Language Discovery (T1614.001) Black Hunt gather information about the system language of a host in order to infer the geographical location of that host”
• [T1135] Network Share Discovery – Black Hunt enumerates shared network drives and folders to access other systems. “Network Share Discovery (T1135) Black Hunt enumerates shared network drives and folders to access other systems”
• [T1083] File and Directory Discovery – Black Hunt enumerates files and directories to identify whether certain objects should be encrypted. “File and Directory Discovery (T1083) Black Hunt enumerates files and directories to identify whether certain objects should be encrypted”
• [T1057] Process Discovery – Black Hunt performs process discovery/enumeration to terminate processes that could interfere with the encryption process. “Process Discovery (T1057) Black Hunt performs process discovery/enumeration to terminate processes that could interfere with the encryption process.”
• [T1490] Inhibit System Recovery – Deletes backups, volume shadow copies, and disables automatic repair and recovery features. “Inhibit System Recovery (T1490) Deletes backups, volume shadow copies, and disables automatic repair and recovery features.”
• [T1486] Data Encrypted for Impact – Black Hunt is capable for encrypting victim’s files. “Data Encrypted for Impact (T1486) Black Hunt is capable for encrypting victim’s files”
• [T1489] Service Stop – Stops certain services, such as those related to backup, security software, and others. “Service Stop (T1489) Stops certain services, such as those related to backup, security software, and others”