Keypoints
- Initial access achieved via legitimate remote session/management tools (Total Software Deployment, ScreenConnect) to blend with admin activity.
- Operators run scripts to disable Windows Defender and SmartScreen before deploying the ransomware binary update.exe that requires a 64‑character hex access token to execute.
- The binary (compiled in Rust) supports many command-line flags to control propagation, VM/ESXi behavior, logging, and safe‑boot options, and it attempts privilege escalation via COM instantiation and token manipulation.
- Post-compromise actions include discovery (wmic, arp -a), creating NamedPipe channels for command output, stopping IIS/SQL services, setting MaxMpxCt, and deleting volume shadow copies (vssadmin, wmic Shadowcopy Delete).
- Evidence of artifact removal includes clearing event logs (wevtutil.exe el) and targeted termination of backup and virtualization services (e.g., Veeam, BackupExec) to inhibit recovery.
- Files are encrypted and a ransom note (RECOVER-[masked]-FILES.txt.png) and wallpaper changes are deployed; the ransomware uses per-binary public keys so decryption requires the matching private key.
- The campaign employs folder exclusion lists and flags to reduce noise and avoid worm-like propagation, complicating detection and analysis.
MITRE Techniques
- [T1219] Remote Access Software – Use of legitimate remote session management tools for initial access (‘strategic utilization of legitimate remote session management software, such as Total Software Deployment and ScreenConnect.’).
- [T1059] Command and Scripting Interpreter – Use of batch and PowerShell scripts (including encoded PowerShell) to disable defenses and stop services (‘powershell.exe -encodedCommand …’ and batch scripts to disable Windows Defender and SmartScreen).
- [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control – Binary attempts to obtain elevated privileges by instantiating a COM object via CLSID (‘Elevation: Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}’).
- [T1134.001] Access Token Manipulation: Token Impersonation/Theft – Ransomware queries and manipulates privileges using LookupPrivilegeValueW to impersonate higher privileges (‘The ransomware binary queries the user’s privileges using the LookupPrivilegeValueW function.’).
- [T1490] Inhibit System Recovery – Deletion of volume shadow copies to prevent recovery (‘vssadmin.exe Delete Shadows /all /quiet’ and ‘wmic.exe Shadowcopy Delete’).
- [T1070.001] Indicator Removal on Host: Clear Windows Event Logs – Listing and deleting event logs via wevtutil to remove forensic artifacts (‘wevtutil.exe el’).
- [T1489] Service Stop – Stopping critical services (IIS/SQL/backup) to disrupt operations (‘”cmd” /c “iisreset.exe /stop”‘ and PowerShell that stops SQL/IIS services).’
- [T1135] Network Share Discovery – Discovery of network shares and local network enumeration using arp and other discovery commands (‘Arp -a – To list active known IP addresses.’).
- [T1090.003] Proxy: Multi-hop Proxy / T1219 – Use of remote access tooling and possible proxying to maintain C2 and operator access (article references leveraging legitimate remote access tools and multi‑hop proxy in detections table) (‘The group has adeptly leveraged legitimate remote access tools…’).
Indicators of Compromise
- [File name] Ransomware binary and artifacts – update.exe (ransomware binary requiring a 64-character hex access token), RECOVER-[masked]-FILES.txt.png (ransom note dropped on victims).
- [Named Pipe] Local IPC channel used for command output – __rust_anonymous_pipe1__.1566.4308904526 (example NamedPipe observed for command output).
- [Commands / Scripts] Post-compromise and destructive commands – “vssadmin.exe Delete Shadows /all /quiet”, “wmic.exe Shadowcopy Delete”, “wevtutil.exe el”, “iisreset.exe /stop”, and an encoded PowerShell string (powershell.exe -encodedCommand …).
- [Registry change] Server tuning setting – HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParametersMaxMpxCt set to 65535 (adjusted to allow more concurrent tasks).
- [Service names] Targeted service/process names to stop – examples include VeeamTransportSvc, BackupExec* (and other backup/virtualization service names such as “AcronisAgent”, “VeeamDeploymentService”, “MSExchange$”), and many more targeted services.
BlackCat operators gain access via legitimate remote-management tools (Total Software Deployment, ScreenConnect), then run scripted steps to disable security features (Windows Defender, SmartScreen) and stop critical services. They deploy a Rust-compiled ransomware binary (update.exe) that will not execute without a specific 64-character hexadecimal access token; the binary exposes numerous command-line flags (e.g., –no-net, –no-prop, –no-vm-kill, –safeboot, –access-token) to control propagation, logging, VM/ESXi behavior, and persistence.
Before encryption, the malware performs discovery (wmic csproduct get UUID, arp -a), creates NamedPipe channels for command outputs (__rust_anonymous_pipe1__.[PID].[Random]), and executes commands to stop IIS/SQL and many backup/virtualization services. It modifies LanmanServer MaxMpxCt, deletes volume shadow copies via vssadmin and WMIC, clears event logs with wevtutil, and leverages privilege escalation via COM instantiation and LookupPrivilegeValueW to acquire privileges (including SeRestorePrivilege/SeBackupPrivilege) used for credential access and lateral movement.
The binary encrypts files (adding a masked extension), drops a ransom note (RECOVER-[masked]-FILES.txt.png), and changes desktop wallpaper; it also implements folder exclusions and flags to limit noisy propagation and avoid worm-like behavior. Recovery requires the private key corresponding to the public key assigned to each binary, and the campaign’s operational choices (token-gated execution, logging, exclusion lists) are designed to increase stealth and complicate analysis.
Read more: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/resurgence-of-blackcat-ransomware/