• Platform
    Spring '24 Software Release! Check out our new deep image-based detection, GWS capabilities, and more. Explore the new additions
  • Solutions
    Introducing Weekly Demos! Join us for a live walkthrough of our platform and see the difference firsthand. Register Now
  • Learn
    New Report! Osterman Research releases their 2024 findings on Image-based/QR Code Attacks. Read the report
  • Partner
  • Pricing

International law enforcement collaboration led to the disbandment of several high-profile ransomware gangs in the last 12 months. As ransomware attacks gained more media coverage and wreaked more havoc on critical industries, these threat actors became much-sought targets for authorities. The biggest story came in January 2022 when Russian authorities closed in on REvil and claimed that the gang has “ceased to exist”.

The story of a ransomware gang regularly seems to end with its arrest or sudden disappearance from the web in recent times. However, warnings in previous posts highlighted that the tale of many disbanded gangs probably wasn’t over. It appears this warning has come to fruition with the emergence of a new group named BlackCat (also known as ALPHV). This article rounds up the series on ransomware groups by analyzing the new BlackCat operation.


BlackCat: Operations and Ransomware Analysis

Even when authorities close in on a group of threat actors, they don’t necessarily arrest all of them. Furthermore, the predominance of the ransomware-as-a-service model means that there are often many affiliates associated with these gangs. Affiliates may join and start their own group or join a new group.

Security researchers first observed BlackCat activity in November 2021. An immediate point of note about their operations is the use of triple extortion in some attacks. This evolution on double extortion adds the threat of a DDoS attack on a victim’s network if the victim refuses to pay the ransom. On top of the standard data exfiltration and ransomware files locking key systems, triple extortion adds another layer of pressure to pay up.

Lucrative affiliate offers are another distinct feature of BlackCat’s model. Recruitment posts on Russian language forums offered affiliates up to a 90% share of any ransoms collected. The ransomware strain itself is written in Russian. 

Threat actors signing up as affiliates get access to the ransomware strain. Typically, affiliates use common tactics and procedures to gain initial network access and move laterally. Privilege escalation features are embedded in the ransomware. After executing the payload, the encryption uses AES128-CTR and RSA-2048 algorithms.

BlackCat developers coded their ransomware using the Rust programming language. Rust has good cross-platform functionality, which makes it trivial to create variants that work on both Windows and Linux operating systems. Furthermore, the customizability of the language means threat actors can tailor attacks to specific victims’ networks.

The common trend running through BlackCat’s operations and ransomware strain is its innovation. This is evidently an experienced group of threat actors with sophisticated cybersecurity knowledge.


BlackCat’s victims

An aggressive set of attacks conducted in a short timespan meant BlackCat gained rapid notoriety in the cybersecurity community. In a timespan stretching just over one month, more than 12 victim names appeared on the gang’s dark web leak site. This prolific start to operations catapulted BlackCat straight into the top ransomware threats.


Moncler, December 2021

Italian luxury fashion giant Moncler became a high-profile BlackCat victim in December 2021. Formed in 1952, the company has over 1,400 employees and earns annual revenue of €1.4 billion.

The attack on Moncler unfolded when the company announced a disruption to IT operations on December 23. News filtered through that malware had caused a temporary outage. An update in early January clarified that logistics centers and client service activities were impacted by the incident.

The latest statement from Moncler also confirmed a compromise of sensitive personal data. This statement aligns with a DarkCat post on the group’s dark web leak site naming and shaming Moncler as a victim of the gang’s attacks. Moncler refused to pay the $3 million ransom demand set by BlackCat, which resulted in sensitive data being published online. The published data included customer invoices and earning statements. 


Inetum, December 2021

From fashion to IT services, a December 2021 attack on French company Inetum demonstrated the scope of BlackCat’s targets. Inetum provides transformative digital services and solutions, including smart agents, computer vision, and AI Ops to businesses around the world.

Inetum is one of the two BlackCat victims for which solid details exist about the attack and its scope. According to a press release on December 23, the attack impacted operations in France but not in any other locations. The scope of the impact was limited, and none of the company’s main infrastructures, collaboration tools, or delivery operations were affected.

Interestingly, Inetum didn’t disclose BlackCat as responsible for the attack. However, the editor-in-chief of French publication LeMagIt said that the ransomware strain discovered in Inetum’s network was authored by BlackCat.



More To Come?

BlackCat is evidently a sophisticated ransomware group. Just as the cybersecurity community thought the ransomware threat might be slowing down, evolutions and innovations promise a new wave of customized attacks that leverage the efficiency and adaptability of the Rust programming language. Generous affiliate offerings are guaranteed to entice more threat actors to sign up with the gang.

Over the course of 2022, expect more attacks to come from BlackCat and more news stories to feature the gang’s name. Other new ransomware gangs may form with their own innovations or simply emulate BlackCat’s model.


Bringing It Back to Basics

Having the basics of a secure cybersecurity posture in place goes a long way towards dealing with ransomware attacks. Whatever evolutions threat actors come up with in their coding practices, the fact remains that they still need to get initial network access to carry out successful attacks. Preventing initial access requires stopping phishing threats with advanced email security, having multifactor authentication enabled for all critical business apps and services, and ongoing cybersecurity education to ensure good physical and digital security hygiene among employees.

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at https://ironscales.com/get-a-demo/.

February 2, 2022