Threat Research

Ransomware Spotlight: BlackCat – Security News

Securonix

BlackCat (ALPHV) ransomware has risen to prominence with a Rust-based framework, triple extortion tactics, and a growing affiliate network that leverages diverse attack vectors. Trend Micro highlights evolving TTPs—from Emotet-assisted initial access to private negotiation keys and high-profile incidents, including German oil infrastructure and MGM Resorts International—and stresses the need for stronger defenses against this threat actor.

#BlackCat #ALPHV #AlphaVM #AlphaV #ExMatter #Eamfo #Veeam #Emotet #CobaltStrike #DEV0237 #DEV0504 #Ryuk #Conti #Hive #REvil #MGMResortsInternational

Keypoints

  • BlackCat is a Rust-based ransomware family noted for unconventional methods and rapid ascendance in the cybercrime space.
  • The group employs triple extortion, including data exposure and threats of DDoS to pressure victims.
  • BlackCat operates a public leak site, increasing the visibility and pressure on victims to pay.
  • Affiliates receive substantial payouts (up to 90%), aiding recruitment and expansion of the RaaS network.
  • The attack surface varies by affiliate, with vectors including Microsoft Exchange server vulnerabilities, RDP, and stolen credentials.
  • Emotet has been used as an initial entry point, with Cobalt Strike beacon enabling lateral movement.
  • Notable incidents include German oil infrastructure disruption, an Italian energy agency breach, and attacks on MGM Resorts International.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploit Microsoft Exchange server vulnerabilities to access the target network. ‘…exploit different attack vectors that include Microsoft Exchange server vulnerabilities to access the target network…’
  • [T1021] Lateral Movement – Use a compromised system’s beacon for movement within the network. ‘a second-stage payload to enable lateral movement.’
  • [T1041] Exfiltration – Exfiltrate data using ExMatter data exfiltration tool. ‘ExMatter data exfiltration tool’
  • [T1552] Credentials in Files – Steal credentials stored by backup software such as Veeam. ‘steal credentials stored by Veeam backup software’
  • [T1021.001] Remote Services – Entry via remote desktop applications and other remote services. ‘remote desktop applications’

Indicators of Compromise

  • [Organization] MGM Resorts International – high-profile victim in September 2023 incident.
  • [Organization] Italian energy agency – breached with ~700 GB exfiltrated data reported.
  • [Organization] German oil sector targets – 233 gas stations impacted in early 2022.
  • [Tool/Malware] Emotet, ExMatter, Eamfo, Cobalt Strike beacon, Log4J Auto Exploiter – observed components of infection and post-exploitation.
  • [Threat Actor/Group] BlackCat (ALPHV) and affiliates DEV-0237, DEV-0504 – described actors and affiliates involved in campaigns.
  • [Communication/Platform] Tor leak site, Telegram account (used for advertising and coordination) – used to publicize tools and offerings.

Read more: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint