FYI: There's another BlackCat ransomware variant on the prowl

Here's a heads up. Another version of BlackCat ransomware has been spotted extorting victims. This variant embeds two tools, we're told: the network toolkit Impacket for lateral movement within compromised environments, and Remcom for remote code execution.

BlackCat, also known as AlphaV, is a notorious ransomware crew whose affiliates lately have taken to compromising hospitals and medical clinics, stealing medical records, and demanding a ransom to keep that information under wraps. Many of these healthcare orgs would rather pay up than face lawsuits from patients when their protected files are leaked or sold online by the extortionists over non-payment.

The BlackCat malware works on Windows and Linux, and is rented out to criminals, who break into targets and run the data-stealing malware, making it a ransomware-as-a-service operation. Under this business model, the affiliates pay to use the malware developed by operators in their attacks, and then the affiliates earn a cut of the proceeds if the victims pay the ransoms.  

For BlackCat affiliates, that reportedly translates to between 80 and 90 percent of the amount paid, we're told.

This particular extortion operation was first seen in the criminal underground in 2021, and it was noteworthy because it was one of the first ransomware strains to be written in Rust. Since then, it's been updated, with operators adding features and improvements.

And in a series of social media posts on Thursday, the Microsoft Threat Intelligence team said they spotted a new version being used by a BlackCat affiliate in July.

• Barts NHS hack leaves folks on tenterhooks over extortion
• Now BlackCat extortionists threaten to leak stolen plastic surgery pics
• Reddit confirms BlackCat gang pinched some data
• FBI: BlackCat ransomware scratched 60-plus orgs

It seems the version Redmond has analyzed is the Sphynx version of BlackCat ransomware that the eggheads at IBM Security X-Force and VX-Underground have been warning about since the spring.

VX-U is confident the BlackCat strain it flagged up in April is the same one the Azure titan is now talking about.

Impacket + Remcom

The new version, according to Microsoft, uses Impacket, a freely available collection of Python code for working with network protocols.

This tool allows miscreants to move laterally across the network, and "has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the Windows giant said.

Additionally, this BlackCat version also has Remcom, which allows attackers to execute code and copy files on remote systems, embedded in the executable, we're told.

"The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment."

While Microsoft doesn't say what July intrusions used this new version of BlackCat, one of the gang's affiliates did break into Barts Health NHS Trust, one of the UK's largest hospital groups, that month.

That infection followed one in June at California's Beverly Hills Plastic Surgery, during which crooks claimed to steal personal information and healthcare records, "including a lot of pictures of patients that they woud [sic] not want out there." ®