A new ransomware-as-a-service player has been detected by Recorded Future and MalwareHunterTeam on two underground forums. Known as ALPVH and BlackCat, the ransomware group is the first to use Rust, The Record reported. This is the third ransomware strain to be coded in Rust, with the other two being experimental.
BlackCat (ALPVH) Ransomware-as-a-Service
BlackCat has already been used in actual attacks, with approximately companies in its list of victims. It appears that the ransomware has been developed and deployed by a professional cybercrime group, the researchers said. Recorded Future even said that BlackCat’s author was previously involved with the Revil gang.
BlackCat (ALPVH) has been following REvil’s model, and is now advertised as a ransomware-as-a-service on two popular underground forums – XSS and Exploit. Potential buyers (“affiliates”) are invited to join BlackCat’s ransomware family in attacks against large companies.
What Features Does BlackCat Ransomware Have?
Advertised features include capability of encrypting data on Windows, Linux, and VMWare eSXI systems. The RaaS also promises affiliates to earn between 80% and 90% of the paid ransom, according to the sum paid by the victims. Only a small number of victims have been identified so far, MalwareHunterTeam said.
The initial vector of the attacks is also known. However, the researchers were able to determine that the ransomware operators locate and steal sensitive files from breached systems, and then proceed with file encryptions of local systems. Not surprisingly, double extortion is also part of the attacks against large companies, as BlackCat threatens to release the sensitive data on leak sites it operates.
Michael Gillespie has already said that BlackCat is very sophisticated in a tweet he recently shared:
Analyzed another sample of this not too long ago, but couldn’t talk about it due to client confidentiality… uses AES128-CTR and RSA-2048, is secure. Filemarker 19 47 B7 4D at EOF and before the encrypted key, which is JSON with some settings. Very sophisticated ransomware.
Other criminal groups, such as BuerLoader and FickerStealer, are also moving to the Rust programming language which is considered more secure than C and C++.
Related: 4 Emerging Ransomware-as-a-Service Groups