March 22, 2022

Cisco Talso Analyzes BlackCat RaaS

Industry: N/A | Level: Tactical | Source: Cisco Talos

Cisco Talos reports of BlackCat (aka ALPHV), the notorious Ransomware-as-a-Service (Raas) group, appearing in the cyber threat landscape since November 2021. The threat group has since compromised many companies globally, with over 30% based in the US. Initially thought to be a rebrand of Blackmatter and Darkside ransomware groups, it was identified to be false. An interview conducted by Recorded Future with a BlackCat representative, shared the BlackCat group consists of many affiliates. With some affiliates from BlackMatter and DarkSide. An attack flow was discovered by Cisco Talos, analysis from BlackCat’s campaign in September and December with overlaps in TTP. As stated by Cisco Talos “In terms of attack flow, the attacks were similar to other human-operated ransomware attacks: initial compromise, followed by an exploration and data exfiltration phase, then attack preparation and finally, the attack execution.”

  • Anvilogic Use Cases:
    • Alternate Data Streams
    • Create/Modify Schtasks
    • Registry key added with reg.exe
    • Tunnel connection on local host
    • Rundll32 Command Line
    • Common LSASS Memory Dump Behavior
    • ProcDump Credential Harvest
    • comsvcs.dll Lsass Memory Dump
    • Windows Admin$ Share Access
    • Impacket/Empire’s WMIExec
    • Windows Firewall Rule Creation