FYI: There's another BlackCat ransomware variant on the prowl

Bad kitty, no catnip for you

Here's a heads up. Another version of BlackCat ransomware has been spotted extorting victims. This variant embeds two tools, we're told: the network toolkit Impacket for lateral movement within compromised environments, and Remcom for remote code execution.

BlackCat, also known as AlphaV, is a notorious ransomware crew whose affiliates lately have taken to compromising hospitals and medical clinics, stealing medical records, and demanding a ransom to keep that information under wraps. Many of these healthcare orgs would rather pay up than face lawsuits from patients when their protected files are leaked or sold online by the extortionists over non-payment.

The BlackCat malware works on Windows and Linux, and is rented out to criminals, who break into targets and run the data-stealing malware, making it a ransomware-as-a-service operation. Under this business model, the affiliates pay to use the malware developed by operators in their attacks, and then the affiliates earn a cut of the proceeds if the victims pay the ransoms.  

For BlackCat affiliates, that reportedly translates to between 80 and 90 percent of the amount paid, we're told.

This particular extortion operation was first seen in the criminal underground in 2021, and it was noteworthy because it was one of the first ransomware strains to be written in Rust. Since then, it's been updated, with operators adding features and improvements.

And in a series of social media posts on Thursday, the Microsoft Threat Intelligence team said they spotted a new version being used by a BlackCat affiliate in July.

It seems the version Redmond has analyzed is the Sphynx version of BlackCat ransomware that the eggheads at IBM Security X-Force and VX-Underground have been warning about since the spring.

VX-U is confident the BlackCat strain it flagged up in April is the same one the Azure titan is now talking about.

Impacket + Remcom

The new version, according to Microsoft, uses Impacket, a freely available collection of Python code for working with network protocols.

This tool allows miscreants to move laterally across the network, and "has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the Windows giant said.

Additionally, this BlackCat version also has Remcom, which allows attackers to execute code and copy files on remote systems, embedded in the executable, we're told.

"The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment."

While Microsoft doesn't say what July intrusions used this new version of BlackCat, one of the gang's affiliates did break into Barts Health NHS Trust, one of the UK's largest hospital groups, that month.

That infection followed one in June at California's Beverly Hills Plastic Surgery, during which crooks claimed to steal personal information and healthcare records, "including a lot of pictures of patients that they woud [sic] not want out there." ®

Send us news
Post a comment

Scores of US credit unions offline after ransomware infects backend cloud outfit

Supply chain attacks: The gift that keeps on giving

Another month, another bunch of fixes for Microsoft security bugs exploited in the wild

Plus: VMware closes critical hole, Adobe fixes a whopping 76 flaws

Leader of pro-Russia DDoS crew Killnet 'unmasked' by Russian state media

Also: NXP China attack, Australia can't deliver on ransom payment ban (yet), and Justin Sun's very bad month

Microsoft's bug bounty turns 10. Are these kinds of rewards making code more secure?

Katie Moussouris, who pioneered Redmond's program, says folks are focusing on the wrong thing

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA calls for stronger IT defenses as Texas district also hit by ransomware crew

Industry piles in on North Korea for sustained rampage on software supply chains

Kim’s cyber cronies becoming more active, sophisticated in attempts to pwn global orgs

Black Basta ransomware operation nets over $100M from victims in less than two years

Assumed Conti offshoot averages 7 figures for each successful attack but may have issues with, er, 'closing deals'

Clorox CISO flushes self after multimillion-dollar cyberattack

Plus: Ransomware crooks file SEC complaint against victim

Europol shutters ransomware operation with kingpin arrests

A few low-level stragglers remain on the loose, but biggest fish have been hooked

How to give Windows Hello the finger and login as someone on their stolen laptop

Not that we're encouraging anyone to defeat this fingerprint authentication

Google submits complaints about Microsoft licensing to UK competition regulator

Now Microsoft has regulator breathing down its neck in three regions

Rhysida ransomware gang: We attacked the British Library

Crims post passport scans and internal forms up for 'auction' to prove it