Analysts from Recorded Future and MalwareHunterTeam discovered the ransomware ALPHV (aka BlackCat). The ransomware executable is written in Rust, which is not typical of malware, but this approach is gradually gaining popularity among cybercriminals due to its high performance and memory security.
There is a very interesting new Rust coded ransomware (first ITW?), BlackCat.
Another one used to encrypt companies’ networks.
Already seen some victims from different countries, from the second half of past November.
Also look at that UI. Back to ’80s?
😂@demonslay335 @VK_Intel pic.twitter.com/YttzWWUD3c
– MalwareHunterTeam (@malwrhunterteam) December 8, 2021
The malware developers themselves call it ALPHV and actively promote their malware on Russian-language hack forums. However, due to the fact that the cybercriminals’ website uses an icon depicting a black cat, the researchers dubbed the malware BlackCat.
Technically, this ransomware is already the third ransomware written in Rust: in 2020 on GitHub was published PoC malware of this kind, and a non-working ransomware was spotted in the same year BadBeeTeam… However, the researchers write that against their background, ALPHV (BlackCat) looks like the first professional RaaS malware aimed at corporate hacking and device encryption. So, in its recent tweet well-known cybersecurity specialist and Emsisoft analyst Michael Gillespie, described BlackCat as a “very complex” ransomware.
According to Recorded Future experts, the creator of ALPHV (BlackCat) was previously a member of the well-known hacker group REvil. Since early December, this man (known as ALPHV) has been promoting RaaS on underground forums (XSS and Exploit), inviting other criminals to join ransomware attacks against large companies. The attacker claims that the malware can encrypt data on systems running Windows, Linux and VMware ESXi, and partners will receive 80% to 90% of the final ransom, depending on the total amount received from the victims.
So far, experts do not know exactly how the malware penetrates the victim’s systems, but like most other ransomware groups, the ALPHV (BlackCat) operators are engaged in double extortion. That is, before encrypting files, hackers look for confidential data on the victim’s network, steal it, and then demand a ransom, otherwise they threaten to publish the stolen data in the public domain (or sell it to interested parties).
Currently, the group seems to be managing several “leak sites” at once, each of which stores the data of one or two victims. A screenshot of one of these sites can be seen below. It looks like these sites are being served by the team partners themselves, which explains the different urls.
Edition Bleeping Computer reports that since November 2021, many companies in the USA, Australia and India have become victims of this ransomware. The journalists’ own sources say the ransom size ranges from $ 400,000 to $ 3,000,000 (in Bitcoin or Monero). If victims pay with Bitcoin, an additional 15% commission is added to the ransom.