The new ALPHV ransomware operation, dubbed BlackCat, debuted last month and has the potential to be the most sophisticated ransomware of the year, with a highly customizable feature set that allows for attacks on a wide range of corporate setups. The ransomware executable is built in Rust, a language that is not commonly used by malware developers but is gaining popularity due to its great efficiency and memory safety.
BlackCat, like many other variants before it, operates as a ransomware-as-a-service (RaaS), with the core developers recruiting affiliates to breach corporate environments and encrypt files, but not before stealing the said documents in a double extortion scheme to pressure the targets into paying the requested amount or risk exposing the stolen data if the companies refuse to pay up.
Affiliates will receive varied revenue shares based on the magnitude of the ransom payment. For example, the affiliate receives 80% of ransom payments up to $1.5 million, 85% of payments up to $3 million, and 90% of payments exceeding $3 million. CNA reportedly paid a $40 million ransom to the Russian hacking outfit Evil Corp to demonstrate the amount of money an affiliate can earn from these RaaS programmes. This would translate to $36 million given to the affiliate under ALPHV's revenue sharing.
In a separate analysis of BlackCat, South Korean cybersecurity firm S2W stated that the ransomware conducts its malicious actions by referring to an internal configuration like other RaaS programmes, drawing comparisons to BlackMatter, another ransomware that emerged from the ashes of DarkSide in July only to cease operations in early November.
The ALPHV BlackCat malware has a number of innovative features that distinguish it from other ransomware operations. The ransomware is completely command-line driven, human-operated, and highly programmable, with the ability to employ various encryption techniques, propagate across systems, terminate virtual machines and ESXi VMs, and automatically wipe ESXi snapshots to prevent recovery.
Each ALPHV ransomware executable includes a JSON configuration that allows customization of extensions, ransom notes, how data will be encrypted, prohibited folders/files/extensions, and the services and processes that will be terminated automatically. The threat actor claims that the ransomware may be modified to use four different encryption mechanisms. ALPHV BlackCat can also be programmed to exploit domain credentials to distribute the ransomware and encrypt other network devices. The executable will then extract PSExec to the %Temp% folder and utilise it to copy the ransomware to other network devices before executing it to encrypt the remote Windows machine.
