Blogs

BlackCat Threat Guide

Product

BlackCat Threat Guide

BlackCat Threat Guide

Kenisha Liu

Mar 23, 2024

Latest headline: The BlackCat ransomware operation claimed it’s latest attack against UnitedHealth Group and its subsidiary Change Healthcare.
The cyberattack disrupted prescription processing in the U.S and is believed to have compromised protected health information. This attack has prompted the Department of Health and Human Services' Office for Civil Rights (OCR) to initiate an investigation into UnitedHealth Group. BlackCat claims to have stolen 6 TB of data and received a $22 million ransom payment from Optum, another UnitedHealth Group unit.
Key points:
  • Reemerged Dec 18th 2022
  • Allegedly stole 6 TB of data
  • Received 22$ million ransom from UnitedHealth Group unit
  • 341 IOCs as of publication

Fletch is constantly monitoring the threat landscape. The data in this guide is most up to date as of publication. Check out BlackCat’s Threat Board for any updates or join the waitlist to be in the know for every threat.

 

BlackCat ransomware summary

The BlackCat threat group, or ALPHV, has quickly become a significant player in the cyber threat landscape since its emergence in November 2021. The group runs a Ransomware-as-a-Service (RaaS) model, where they provide the tools and infrastructure for others to carry out ransomware attacks in exchange for a cut of the profits. BlackCat has been linked to the notorious ransomware groups BlackMatter and DarkSide, suggesting a continuation or evolution of these earlier threats.
  • Severity: Loud Chatter 
  • Maturity: Mainstream
  • IOCs: 324 Malware hashes and 17 vulnerabilities
  • Targets: 43 tech targets, 45 industry targets, and 119 geo targets


Learn more about Fletch’s metrics in the Fletch Help Center.

BlackCat ransomware victims and motivations

BlackCat stands out for being one of the first ransomwares written in Rust, a programming language known for its security and efficiency. This gives BlackCat the adaptability to target a wide range of systems, including Windows and Linux-based systems. It also makes the ransomware difficult to analyze in sandbox testing environments. 
Their ransomware campaign uses what’s called "triple extortion." They demand a ransom to unlock your infected files, a ransom to keep your stolen data private, and a ransom to stop them from carrying out denial-of-service attacks.
The BlackCat Ransomware has targeted a variety of organizations worldwide. They have no specific victimization pattern, instead choosing targets based on opportunity. This approach suggests a focus on financial gain over pushing any specific agenda. High-profile targets include major companies in the gaming and hospitality industry, like MGM Resorts International and Caesars Entertainment, as well as healthcare companies such as Change Healthcare, a unit of UnitedHealth Group. The impact of these attacks has been substantial, costing affected organizations absorbent amounts of money including $22 million in ransomware payments from Optum, another UnitedHealth Group unit.


BlackCat Ransomware Tactics

The success of the BlackCat Ransomware lends itself to its sophisticated capabilities. It can sneak past User Account Control (UAC), figure out all the devices and domains on a network, and spread itself across networks. 
The BlackCat Ransomware is also good at spoiling recovery efforts. It can delete volume shadow copies that could help restore files and modify boot loaders, making it difficult to start up your computer properly. 
BlackCat has various techniques to avoid detection. This includes the use of junk code, useless code thrown in to obfuscate their true purpose. It can make the code harder to analyze and understand, both for security researchers trying to dissect it and for antivirus programs trying to detect it. They also use encrypted strings to hide important info in concealed messages, to make sure they don't get caught. 
Apart from ransomware, BlackCat has been caught using other malicious techniques and tools. They have employed the Emotet botnet malware and Log4J Auto Expl to gain initial access into networks. Once they're in, they've used tools like ExMatter to swipe data and Cobalt Strike Beacons for follow-on intrusion activities that might include further exploration, data theft, or attempts to expand their control over the compromised environment.


Mitigation advice

If a Fletch customer was to have the BlackCat vulnerability identified through SSO or other endpoint logs, they would have had 4 days notice, with detailed information as well as a Beta AI advice feature on how to protect and harden systems.
At the time of publication this was the mitigation advice against BlackCat:
Short-Term:
  1. Implement FIDO-based multi-factor authentication (MFA) for all employees
  2. Use network monitoring to identify abnormal activity
  3. Use email scanning to eliminate malicious content before it reaches employees
  4. Ensure endpoint protection is up-to-date and active on all devices
Long-Term:
  1. Regularly conduct security awareness training for employees, focusing on social engineering and phishing attacks
  2. Continuously update and enforce security policies and procedures
  3. Establish a strong security culture within the organization
  4. Regularly assess and update network and endpoint security measures


You check out the most recent mitigation measures by creating a workspace when you join the Fletch waitlist.


Communication 

On top of mitigation advice, Fletch also provides Beta AI generated communications so you can educate your different company stakeholders. At the time of publication, this was what was recommended for the following:
For employees:
For customers:
 

For more templates for your different stakeholders, create a workspace when you join the Fletch waitlist.


Takeaway

BlackCat is just one example of an ever evolving threat that requires in-depth cyber intelligence to stay on top of. Fletch helps you keep track of, and prioritizes, them all. 
As the de facto record on the threat landscape, our AI engine is constantly scanning and indexing the threat landscape for you so you can plug the gaps in your security. You can use Fletch to prioritize your alerts, detect threats to your tech and people early, or simply to become an instant expert on any threat at any time. 


Learn more about Fletch’s threat intelligence or join the waitlist and try it for yourself.

1. Microsoft Security Blog: [The many lives of BlackCat ransomware](https://www.microsoft.com/security/blog/2023/03/01/the-many-lives-of-blackcat-ransomware/)

2. Wikipedia: [BlackCat (cyber gang)](https://en.wikipedia.org/wiki/BlackCat_(cyber_gang))

3. CISecurity.org: [Breaking Down the BlackCat Ransomware Operation](https://www.cisecurity.org/insights/blog/breaking-down-the-blackcat-ransomware-operation)

4. Unit 42, Palo Alto Networks: [Threat Assessment: BlackCat Ransomware](https://unit42.paloaltonetworks.com/blackcat-ransomware/)

5. Canadian Centre for Cyber Security: [Profile: ALPHV/BlackCat ransomware](https://www.cyber.gc.ca/en/guidance/profile-alphvblackcat-ransomware)

See how much time you can save

Fletch surfaces the 5% of threats that matter to you right now. You’ll have every detail about the threat, what to do about it and what to say. 

Get API access

See how much time you can save

Fletch surfaces the 5% of threats that matter to you right now. You’ll have every detail about the threat, what to do about it and what to say. 

Get API access

See how much time you can save

Fletch surfaces the 5% of threats that matter to you right now. You’ll have every detail about the threat, what to do about it and what to say. 

Get API access

See how much time you can save

Fletch surfaces the 5% of threats that matter to you right now. You’ll have every detail about the threat, what to do about it and what to say. 

Get API access

See how much time you can save

Fletch surfaces the 5% of threats that matter to you right now. You’ll have every detail about the threat, what to do about it and what to say. 

Get API access