The recent exploits of the BlackCat ransomware group have underscored many factors that are worrying cybersecurity teams across verticals and law enforcement agencies. The sudden spike in the number of victims of this ransomware clearly points to the emergence of new operational models that hackers are using to spread the ransomware and target more entities. Let us examine how this group was able to scale its operations so quickly and turn into a significant threat to cyberspace in a short period of time.
How does the BlackCat Ransomware group operate?
The BlackCat group has been operating in one form or other since September 2021 when we first lifted a few digital prints of the group as a distinct entity from an attack on a powerplant in the Middle East. This was one of the earliest attacks attributed to the group. The breach was not successful but yet, the power plant operator got multiple ransom demand notes and calls from around the world.
The group began by modifying a code it inherited from another ransomware group. Since then, the group has revised its playbook to recruit new ‘affiliates’ to spread the malware thereby turning into a ransomware-as-a-service shop that lends its tools to other groups for a monetary consideration. The BlackCat group perfected the playbook to such an extent that today it has a unique approach which is an offshoot of its core model wherein the hacker(s) borrowing ransomware from it can pay a small amount upfront and later pay a percentage (30-50 percent) of the ransom collected from a victim as a commission.
So in a way, the group collaborates with its affiliates to spread its ransomware while earning proportionately from the ransom received. Affiliates are recruited aggressively with groups that have worked with other ransomware groups previously being preferred by it. Such affiliates are paid a bigger slice of the ransom collected. It is also possible that the group is also training some of its affiliates as well.
There are also indications that the group uses a unique vetting process to remove non-serious affiliates or potential law enforcement teams that are trying to spy on it, its affiliates, and its activities. It has also developed its own payment and effort validation methods to ensure that all its affiliates report the right earning numbers to it (this is specifically for affiliates who have opted for the revenue share model.
Why the BlackCat group is growing to be a bigger threat than imagined?
In order to incentivize early payments, the group has now started offering discounts to victims who pay up early. This is another tactic that the group is deploying to ensure early payment of ransom by victims. The group also threatens to release sample data in batches to key stakeholders of the victim’s businesses to put added pressure on the victims. If this threat doesn’t work, then a threat of a massive DDoS attack is made.
On the technical side, the ransomware is written using Rust which is memory safe and reduces the chances of creation of bugs that security researchers can exploit. It is designed for faster deployment and encryption. It can also target multiple OS eco-systems by being compatible with Windows and Linux. The malware also bears a low detection signature and is potentially undetectable especially when it comes to static analysis tools. From the FBI report on the ransomware and the group’s activities and Indicators of Compromise, it also seems that the ransomware is actually designed to steal data including user credentials before it targets key systems. This is an example of what we call a gain of features, capabilities, and function over the parent variant of this ransomware which was primarily developed to exfiltrate data.
Also Read: Why IoT Security is Important for Today’s Networks?
Overall, the malware seems to be architected to target as many victims as possible in the shortest possible time before they appear on the law enforcement radar. The malware is also built to appeal to a larger set of players including affiliates, rookies, and revenge hackers.
The level of focus on monetization of its ransomware shows how hacker groups have evolved to create specific malware that meets diverse requirements of not just the developers and users but also of other groups that may use the source code to develop more potent variants in the future.
Explore our malware reports here: Malware Reports
Participate in the CISO Peer Survey 2022 and make your opinion count now, fill up our uniquely designed survey here: CISO Peer Survey 2022
Book a demo now to see our IT, OT and IoT security solution in action: Request a Demo
Try our threat intelligence feeds for free for the next two weeks.