The BlackCat/ALPHV ransomware group is back in the headlines, following a $22 million attack on Change Healthcare, first reported in February 2024. The group’s eponymous ransomware was initially observed in November 2021, and by April 2022, the FBI reported that the group had infected more than 60 organizations.
Between mid-2022 and the end of 2023, BlackCat emerged as the second most prolific ransomware-as-a-service group, having perpetrated more than 1,000 successful attacks against government entities, defense contractors, critical manufacturing companies, healthcare providers, schools, and more, according to the U.S. Justice Department (DOJ). But U.S. law enforcement officials were about to catch up.
In December 2023, the DOJ announced that the FBI had infiltrated the group, seized several of its websites, and released a decryption tool to help organizations get their data back.
The February attack on Change Healthcare, coming two months after the DOJ’s announcement, dealt a blow to U.S. law enforcement efforts to crack down on the group, which has ties to the Darkside ransomware gang responsible for the attack on Colonial Pipeline. The attack also demonstrated how quickly the threat actor could regroup, even if its resurgence turned out to be short lived: BlackCat announced a few weeks after the Change Healthcare attack was reported that it was shutting down.
Even if the BlackCat ransomware group dismantles the way Darkside did in May 2021, its code and its tactics–including all the vulnerabilities and living off the land techniques it exploits–remain a significant threat to organizations worldwide. Indeed, Krebs on Security reported the group had already found a buyer for its source code.
RevealX has been helping organizations detect and stop BlackCat ransomware attacks since 2022. Here’s how RevealX catches these attacks before threat actors can spring their multi-million dollar double extortion trap.
Tactics and Techniques Associated with BlackCat Ransomware
Although technical details about the attack on Change Healthcare remain scarce, the techniques it uses are well documented in the MITRE ATT&CK® Matrix for Enterprise and other sources.
To gain initial access, the BlackCat ransomware group, like most ransomware groups, uses a variety of techniques, including stolen credentials (likely gained through initial access brokers or their own social engineering schemes) and exploitation of known and unknown software vulnerabilities. With respect to exploitation of software vulnerabilities, RevealX automatically discovers, classifies, and inventories all devices and cloud assets connecting to an organization’s network, enabling security teams to quickly pinpoint vulnerable devices and instances of vulnerabilities being exploited.
Once BlackCat threat actors are inside, they collect system and network information. They enumerate files, directories, domain trusts, and system and service logs, and they look for Active Directory data. They also try to figure out what EDR and logging tools an organization is running, so that they can then disable endpoint agents and delete logs (two techniques BlackCat is well known for). Account enumeration, network share enumeration, network discovery enumeration, and BloodHound enumeration with Active Directory would all light up in RevealX.
Next comes credential theft. The typical scenario involves a threat actor transferring malware designed to gather credentials over SMB, then executing the malware file using RPC. If your EDR and SIEM tools have been disabled, they won’t detect this activity, but RevealX will. RevealX sees SMB requests because it observes every packet going over the network, and it applies machine learning to identify suspicious SMB requests and file reads from, say, a new machine in an organization’s environment. EDR and logging tools are not set up to identify suspicious SMB requests.
RevealX also detects executable file transfer and has the ability to see when threat actors use RPC to execute malicious files. BlackCat actors have also been observed using DCSync to harvest administrative credentials by emulating a domain controller, another behavior RevealX detects.
To move laterally, they use remote desktop protocol (RDP), but RevealX picks up on this activity. It can detect suspicious use of RDP on a host–whether it’s a user’s laptop, a Windows virtual machine, a Windows server, or even a domain controller–activity that EDR and SIEM typically don’t see.
RevealX also detects command and control. BlackCat, like many other ransomware groups, uses Cobalt Strike to establish communications with a C2 server. RevealX has a number of Cobalt Strike detections, including Cobalt Strike beacons transferred internally over SMB, Cobalt Strike outbound communication, Cobalt Strike communication over SMB named pipes, and more.
Additional indicators that RevealX picks up on include detections of Tor node connections, data staging, and data exfiltration.
RevealX Detection Capabilities Mapped to MITRE ATT&CK Framework
Initial Access
T1190 - Exploit Public-Facing Application
BlackCat has been observed exploiting the ProxyShell vulnerability on Microsoft Exchange servers. ExtraHop detects this exploit and other exploits of public-facing applications with the SQL Injection (SQLi) Attack, Outbound Log4Shell Activity, Log4Shell JNDI Injection Attempt, CVE-2024-21887 Ivanti Connect Secure and Policy Secure Exploit, CVE-2023-4966 Citrix NetScaler ADC and NetScaler Gateway Exploit, CVE-2023-46747 F5 BIG-IP Exploit Attempt detectors.
Execution
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
BlackCat has abused command and script interpreters to execute commands, scripts, and binaries. RevealX detects Command and Scripting Interpreter activity with the Unusual Interactive Traffic from an External Endpoint detector, which identifies network traffic associated with command and script interpreters based on behavioral heuristics.
T1047 - Windows Management Instrumentation
Abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads has also been associated with BlackCat. This technique can signify persistence, lateral movement, payload execution, defense evasion, and information gathering. ExtraHop detects execution via WMI with the WMI Method Launch and New WMI Process Creation detectors. This detection analytic provides coverage by identifying and alerting to the exploitation of WMI for activities including persistent attacks that use WMI to stay resident within the host machine, lateral network movements that execute commands remotely, payload delivery through embedded WMI objects, evasion of traditional defense mechanisms, and system information gathering.
Defense Evasion
T1070.001 - Indicator Removal: Clear Windows Event Logs
As noted above, BlackCat deletes logs to remove evidence of their presence and hinder organizations’ defenses. RevealX detects the removal of Windows Event Logs with the Remote Log Deletion detector by identifying anomalies in system logs and patterns associated with log-tampering or deletion. This ensures coverage for methods such as exploitation of system vulnerabilities, use of malware, or unauthorized log-ins, making it significantly harder for malicious actors to conceal their activities and maintain persistent access to the system.
T1112 - Modify Registry
BlackCat may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. RevealX detects remote registry activity with the Windows Registry Enumeration, Remote Registry Modification, and Windows Registry Modification Activity detectors. These detectors use analytics to scrutinize Windows Registry enumeration and identify abnormal access or exploitations indicative of a potential cyberattack. RevealX also monitors for signs of remote and new registry modifications, which may signify advanced persistent threats or attempts to establish persistent access, elevate privileges, or execute malicious software, thus providing security coverage against these types of attacks.
Discovery
T1087.002 - Domain Account Discovery
BlackCat may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. RevealX detects the enumeration of accounts with the LDAP SPN Scan and Kerberos User Enumeration detectors. These detectors monitor for unauthorized LDAP queries and suspicious Kerberos ticket requests associated with validation of usernames and directory data access. By tracking abnormal use of service principal names and unexpected ticket-granting service responses, the detection analytic enhances defenses against reconnaissance activities aimed at collecting sensitive network information and identifying valid usernames for further malicious activities.
T1083 - File and Directory Discovery
BlackCat enumerates files and directories or may search in specific locations of a host or network share for certain information within a file system. RevealX detects File and Directory enumeration with the Web Directory Scan and Unconventional Internal Connection detectors.
These detectors actively monitor the frequencies and patterns of web server queries, promptly identifying and alerting on any attempts to map web server structures that indicate potential intrusion. They also provide coverage for the detection of unconventional internal network connections, tracking instances of anomalous activities within the network, such as irregular access times, use of unusual protocols, and aberrant user behaviors, which may signify an advanced persistent threat attempting to spread malware, exploit vulnerabilities, or laterally move within the network.
T1135 - Network Share Discovery
BlackCat looks for folders and drives shared on remote systems to accomplish two goals: 1) identify sources of information to gather as a precursor for Collection and 2) identify potential systems of interest for Lateral Movement. RevealX detects Network Share Discovery with the SMB/CIFS Share Enumeration detector. This detector identifies suspicious activities associated with Server Message Block/Common Internet File System (SMB/CIFS) share enumeration. These activities include multiple unsuccessful login attempts indicative of brute force attacks, unusual network scanning for SMB shares, null sessions, or any evidence of an exploit like the EternalBlue.
T1069.002 - Permission Groups Discovery: Domain Groups
BlackCat seeks to discover group and permission settings. RevealX detects the enumeration of group information with the Windows Account Enumeration detector, which identifies when BlackCat is employing different techniques to query system accounts, exploit any authentication weaknesses, manipulate error messages, or even intercept network traffic. By monitoring patterns of unusually high volumes of system queries, changing system response behaviors, and irregular network activity, these detection analytics can identify potential account enumeration attempts and mitigate risks of further brute force attacks, privilege escalation, or potential service denial attacks.
T1018 - Remote System Discovery
BlackCat enumerates information about remote systems that it can use in later stages of the attack to move laterally. RevealX detects the enumeration of remote systems over protocols such as DNS and LDAP using both signature-based and behavioral heuristics. It also identifies malicious Domain Controller Enumeration efforts that aim to gain higher access levels, breach network security, and formulate more strategic and targeted attacks.
T1082 - System Information Discovery
BlackCat tries to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. RevealX detects the enumeration of system information with the Scheduled Task Enumeration and New WMI Enumeration Query detectors. These detectors monitor the task scheduling utility in systems to catch suspicious activity that suggests the attacker is listing, exploiting, or manipulating scheduled tasks to achieve persistence or introduce malicious code. They also identify New WMI Enumeration Query attacks where the adversaries might use WMI to execute code, create processes, or query system information, thereby revealing system vulnerabilities or details about configuration that can be misused for detrimental purposes.
T1033 - System Owner/User Discovery
BlackCat has been observed enumerating one or more users associated with or actively using a computer. RevealX detects the enumeration of users with the Logged On User Enumeration detector based on protocol payload analysis. These analytics aid in mitigating threats by flagging continuous login attempts, irregular logins using a list of user credentials, and deceptive login emails or websites, thereby preventing potential unauthorized access, data manipulation, and more concentrated attacks.
Lateral Movement
T1570 - Lateral Tool Transfer
BlackCat transfers tools and other files between systems in a compromised environment. RevealX detects the transfer of malicious files and attack tools with the Unusual SMB/CIFS Executable File Transfer, File Transfer to Windows Autostart Path, New SMB/CIFS Executable File Transfer, Cobalt Strike Beacon Transfer, and Unusual Executable File Transfer detectors.
This detection analytic also provides coverage for Cobalt Strike Beacon Transfers implying an attacker could be establishing or currently possessing control over the system, and for any unusual executable file transfers that may signify a potential data breach or ongoing attack.
Impact
T1486 - Data Encrypted for Impact
RevealX detects encryption with the Ransomware Activity, Suspicious SMB/CIFS File Share Access, Kaseya VSA Activity, REvil Suspicious Connection (Kaseya Supply Chain), and Confirmed OnePercent Group Ransomware IOC detectors. This detection analytic offers multi-layered security against encryption by identifying and mitigating malicious threats from unauthorized cybercriminals exploiting vulnerabilities in data management systems, monitoring unauthorized access to SMB/CIFS, and tracking and neutralizing activities of organized ransomware groups like REvil and OnePercent Group.
T1490 - Inhibit System Recovery
Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. ExtraHop detects inhibiting system recovery with the Kaseya VSA Activity and REvil Suspicious Connection (Kaseya Supply Chain) detectors.
Detects and mitigates the Kaseya VSA Activity Attack Technique by monitoring for exploitation of vulnerabilities within the Kaseya Virtual System Administrator (VSA) software and flagging unusual system access or command execution, which can be indicative of an attacker infiltrating the system with malicious intent. Additionally, it provides protection against the REvil Suspicious Connection (Kaseya Supply Chain) Attack Technique by inspecting network activities for connections to known command and control servers used by the REvil group, enabling quick identification and isolation of compromised systems in the event of unauthorized transmission and propagation of ransomware through the software's update feature.
RevealX for Comprehensive Protection Against BlackCat Ransomware
With RevealX, you can worry less about having to cough up a $22 million dollar ransom payment. Why? Because its unmatched decryption and machine learning capabilities, its speed, scale, and protocol fluency–combined with the breadth and depth of its rules-based and behavior detectors–provide your security team with more than a dozen opportunities to stop BlackCat and other ransomware attacks before they paralyze your organization.
Have you observed BlackCat ransomware in your environment? Share threat hunting tips in RevealX on the ExtraHop Customer Community.