Under attack?
Close

Get in Touch

Contact us to learn more about our elite cybersecurity services and industry-leading technologies.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Close
Breachquest

Emergency Incident Assistance

Is your network under attack? Get in touch with a
BreachQuest Specialist right away with this form.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811
Contact for non-emergency Contact for non-emergency

BlackCat – The New Ransomware on the Block

02.03.22
By: BreachQuest

BlackCat – also known as ALPHV – is a new ransomware group that was first seen at the end of November 2021. By the end of January 2022, Palo Alto Networks reported that BlackCat was the seventh-largest ransomware family. According to Dark Reading, BlackCat offers their customers 80-90% of the ransoms using the ransomware-as-a-service model. Per Jonathan Grieg at ZDNet, Black Cat writes in Russian and codes in the Rust programming language. We have seen malware written in Rust. But as Jonathan notes, there has not been any ransomware written in Rust (to the best of our knowledge).  To this end, Rust may allow Black Cat to target a wider array of targets and operating systems.

Ransomware-as-a-Service

Ransomware-as-a-Service (RaaS) has accelerated since the start of the COVID-19 pandemic. With RaaS, Threat Actors (TA’s) essentially outsource their ransomware activities to lesser-known affiliates. RaaS benefits attackers by decreasing the TA’s exposure and increasing the delegation of duties while simultaneously reducing the TA’s overhead. In short, RaaS can be seen as an evolution of ransomware operations. It ultimately increases the difficulty of detection for the Blue Team.

Trends in the ‘detection evasion’ space have targeted Endpoint Detection & Response (EDR) & Anti-Virus (A/V) products by-vendor, so although this is speculative, it is possible that there may be a high-level of EDR Vendor-based targeting being employed.

Who are they Targeting?

Ransom amounts vary between victims, but as a rule, the larger (in theory, the more profitable) an organization is, the higher the ransom demand. Reporting within the last week indicates that BlackCat affiliates have demanded seven-figure ransoms, which tells us that attackers are making assumptions about, ‘how much they can get out of a company.’  Those reports also indicate that BlackCat ransoms are floating around $9 mil. – $14 mil. Given what we know of Rust’s targeting capabilities, it is not unreasonable to assume that the ransomware could’ve affected both Windows & Linux systems, and by involving a wider variety of systems, drew a higher ransom demand.

Various outlets were excited about the apparent decline in ransomware cases at the beginning of November. But with BlackCat making its first appearance at the end of November, ransomware was evolving. Threat actors were just upping their game.

 

Written by Alex Ondrick, BreachQuest Director of Security Operations

 

 

Share this article:

Sign up for our newsletter to get more industry news and insights.

Related Insights

12.05.21

What is a Ransomware Recovery and Remediation Team?

Read more

12.10.21

Actionable Recommendations for Log4Shell/Log4j (without the hype)

Read more