Most arguments are optional, but access-token is enforced to bypass the dynamic analysis performed by automated sandboxes. These options have evolved since its first version, shown in figure 2 which compares one of the first samples available ( reported by MalwareHunterTeain December 2021) to the latest samples/versions. When executed, the malware offers several options for customizing its execution. Rust has been present in malware samples for many years, but BlackCat is the first professionally/commercialized distributed malware family using it, and the most prosperous thus far.
Additionally, it is a cross platform language, allowing developers to target several operating systems with the same code. The BlackCat gang first appeared in mid-November 2021, and its payload is written in the Rust programming language, which is considered to have a similar performance to C/C++, but with better memory management to avoid memory errors and concurrent programming. However, all of them appear to attempt to exfiltrate victims’ data before starting the encryption process, gaining extortion power for subsequent requests. Since the malware family operates as a RaaS, the initial access vector depends on the affiliate party deploying the payload and can vary from one attacker to another. According to these blogs, at least 10 companies may have been impacted by these ransomware campaigns in the first two weeks of February. After a successful attack, victims who refuse to pay the ransom have their details posted on dark web forums to make attacks public, increasing their notoriety and shaming the affected organizations. The group operates with a ransomware-as-a-service (RaaS) business model, where the ransomware authors are entitled to 10-20% of the ransom payment, while the rest is kept by the affiliates deploying the payload. The malware behind these attacks is known as BlackCat ransomware, aka ALPHV, as reported by the same newspaper. Even with these actions, it’s been stated that 233 gas stations across Germany have been affected by the incident, resulting in those stations having to run some processes manually and only taking cash payment. The attacks allegedly caused Shell to re-route their supplies in order to avoid severe impacts to the German fuel supply. German newspaper Handelsblatt stated the oil companies Oiltanking and Mabanaft had been affected by a ransomware attack on January 29, 2022, that impacted one of the key oil providers in the area. The campaigns could take the form of ransomware attacks or data wiper attacks, as these have been the highly successful in recent years, especially when combined with supply chain attacks. Now, with confrontations in the Ukrainian region taking on new levels of urgency, there is heightened expectation of future threat actor campaigns against the critical infrastructure of western countries.
The 2021 ransomware attack on US-based Colonial Pipeline, which impacted the fuel supply on the East Coast of America for several days, raised awareness of the reality that adversaries are well prepared to launch future cyberattacks globally that could severely impact a country’s infrastructure. Campaigns remain active, with 16 known incidents in February 2022 as of the publishing of this report.Blackcat uses a “wall of shame” website to both blackmail victims, prove, and promote their latest campaigns publicly.
#ATT BLACK OUT CODE#
Following trends observed last year by Alien Labs, the ransomware targets multiple platforms (Windows and Linux), and it uses additional code to infect VMware’s ESXi hypervisor.The ransomware BlackCat is coded in Rust and was created in November 2021.The attack had little impact on end customers, but it does serve to remind the cybersecurity community of the potential for threat actors to continue attacks against critical infrastructure globally. Executive summaryĪT&T Alien Labs™ is writing this report about recently created ransomware malware dubbed BlackCat which was used in a January 2022 campaign against two international oil companies headquartered in Germany, Oiltanking and Mabanaft. This blog was jointly written with Santiago Cortes.
0 kommentar(er)
