BlackCat, also known as ALPHV, is a ransomware-as-a-service (RaaS) that emerged in late 2021 and quickly established itself as one of the most sophisticated and dangerous threats in the cyberattack landscape. Developed in Rust, which is relatively uncommon for malware, BlackCat introduced several technical innovations that make it a formidable adversary for organizations worldwide.
The main technical characteristics of the BlackCat ransomware
The first thing to know is that it is a programming language developed in Rust, a high-performance and secure language that offers better portability between different operating systems. This makes it much harder for security researchers to analyze than traditional languages, hence the damage it has already caused.
Methods of infection
The first method is the exploitation of vulnerabilities in exposed servers, which is the most common as stated by this french source, but it’s not the only way this ransomware uses it. There’s also the compromise of RDP (Remote Desktop Protocol) credentials, the use of initial malware as an entry point (Qakbot, IcedID), and finally, targeted phishing attacks against employees with privileged access.
Advanced attack techniques
The double extortion scheme involves data encryption and threats of publication, while the triple extortion scheme adds DDoS attacks to further pressure victims.
It also uses sophisticated evasion techniques against antivirus solutions and the deletion of backups and snapshots to prevent recovery; it’s all very well orchestrated.
Its organization and economic model
Firstly, its operational structure, which operates according to the RaaS (Ransomware-as-a-Service) model, is quite common. A central team develops and maintains the malware.
Affiliates deploy the ransomware and share the profits, and the developers receive between 20% and 40% of the ransoms; here too, the whole system is very well organized to maximize profit.
Affiliations and origins
BlackCat is alleged to have links with the groups DarkSide and BlackMatter, and some researchers suspect connections with Russian-speaking actors, who are heavily involved in cyber threats. According to our information, several former REvil members have joined BlackCat.
The amount of the ransoms
If this ransomware is used, it is obviously for financial gain, and with large sums involved, since demands generally range from $400,000 to $3 million, with amounts adjusted according to the size and sector of the victim.
And as usual, payments are made exclusively in cryptocurrencies (Bitcoin, Monero), which makes tracing very complicated or even impossible, especially for Monero.
How can we protect ourselves from it?
First, prevention is key, through regular updates of systems and applications, multi-factor authentication (MFA) on all critical access points, employee awareness training on phishing risks, and network segmentation to limit lateral spread.
Detecting it is also essential, with active network monitoring to detect abnormal behavior and intrusion detection systems (IDS/IPS). Behavioral analysis to identify suspicious activity, coupled with centralized logging and event monitoring, is also highly recommended.
Finally, responding well to incidents is also vital, starting with regularly tested incident response plans, performing offline and immutable backups, implementing documented and tested restoration procedures and having prepared communication with stakeholders (customers, authorities).
