The FBI, chief investigating agency of the U.S., has triggered an alert concluding that more than 60 organizations worldwide have been a victim of the sophisticated ransomware attack by Blackcat also known as ALPHV/Noberus. The ransomware first came to light when the investigation revealed it to be the first ransomware using the memory-safe programming language RUST, known for its improved performance.
Many of the developers of Blackcat are linked with more popular ransomware groups Darkside and Blackmatter who large groups with the experience to carry out operations with a well-established network to support logistics. The advantage of using the RUST programming language renders a very low detection ratio among Antivirus vendors since most static analysis tools aren’t well adapted to the new programming language.
Like other RaaS groups, the motive behind the development of Blackcat/ALPHV ransomware involves data theft, before executing any ransom activities, by leveraging user credentials to gain access to the target system. Initial analysis by Vedere Labs, reveals two distinct exploitations
Blackcat/ALPHV, alongside Conti and LockBit are currently designated by FBI to be most dangerous and active ransomware groups. It is important to watch out for any Indicators of its existence. A few of the IOCs are listed below:
PowerShell Scripts |
|
|---|---|
| Filename | MD5 Hash |
| amd – Copy.ps1 | 861738dd15eb7fb50568f0e39a69e107 |
| ipscan.ps1 | 9f60dd752e7692a2f5c758de4eab3e6f |
| Run1.ps1 | 09bc47d7bc5e40d40d9729cec5e39d73 |
Additional File Names |
|
| [###].ps1, CME.ps1, [#].ps1, Run1.ps1, mim.ps1, [##].ps1, psexec.ps1, Systems.ps1, System.ps1 | |
Batch Scripts |
|
| CheckVuln.bat | f5ef5142f044b94ac5010fd883c09aa7 |
| Create-share-RunAsAdmin.bat | 84e3b5fe3863d25bb72e25b10760e861 |
| LPE-Exploit-RunAsUser.bat | 9f2309285e8a8471fce7330fcade8619 |
| RCE-Exploit-RunAsUser.bat | 6c6c46bdac6713c94debbd454d34efd9 |
| est.bat | e7ee8ea6fb7530d1d904cdb2d9745899 |
| runav.bat | 815bb1b0c5f0f35f064c55a1b640fca5 |
Executables and DLLs |
|
| http_x64.exe | 6c2874169fdfb30846fe7ffe34635bdb |
| spider.dll | 20855475d20d252dda21287264a6d860 |
| spider_32.dll | 82db4c04f5dcda3bfcd75357adf98228 |
| powershell.dll | fcf3a6eeb9f836315954dae03459716d |
| rpcdump.exe | 91625f7f5d590534949ebe08cc728380 |
| mimikatz.exe (SHA1 Hash) | d241df7b9d2ec0b8194751cd5ce153e27cc40fa4 |
| run.exe (SHA1 Hash) | 4831c1b113df21360ef68c450b5fca278d08fae2 |
| zakrep_plink.exe (SHA1 Hash) | fce13da5592e9e120777d82d27e06ed2b44918cf |
| beacon.exe (SHA1 Hash) | 3f85f03d33b9fe25bcfac611182da4ab7f06a442 |
| win1999.exe (SHA1 Hash) | 37178dfaccbc371a04133d26a55127cf4d4382f8 |
| [compromised company].exe (SHA1 Hash) | 1b2a30776df64fbd7299bd588e21573891dcecbe |
Additional File Names |
|
| test.exe, xxx.exe, Mim.exe, xxxw.exe, Services.exe, plink.exe, crackmapexec.exe, Systems.exe, PsExec64.exe | |
BlackCat Ransomware SHA1 Hashes |
|
731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf16180dd44226f60ba5403745ba9d18490eb8ca12dbc9be0a317dd2b692ec041da28 |
|
C2C IP’s |
|
| 89.44.9.243, 142.234.157.246, 45.134.20.66, 185.220.102.253, 37.120.238.58, 152.89.247.207, 198.144.121.93, 89.163.252.230, 45.153.160.140, 23.106.223.97, 139.60.161.161, 146.0.77.15, 94.232.41.155 | |
While it is essential for an organization to look out for IOCs to check if they have been already attacked by ransomware, it is also necessary to, at a minimum, follow the steps below to protect your organization from such sophisticated attacks.
Subscribe to the Versa Blog
Gartner Research Report
Trial
ROI
Contact