Not so lucky: BlackCat is back! 

Authors: Alex Jessop @ThisIsFineChief , Molly Dewis 

While the main trend in the cyber threat landscape in recent months has been MoveIt and Cl0p, NCC Groups’ Cyber Incident Response Team have also been handling multiple different ransomware groups over the same period.  

In the ever-evolving cybersecurity landscape, one consistent trend witnessed in recent years is the unsettling rise in ransomware attacks. These nefarious acts of digital extortion have left countless victims scrambling to safeguard their data, resources, and even their livelihoods. To counter this threat, every person in the cyber security theatre has a responsibility to shine light on current threat actor Tactics, Techniques and Procedures (TTP’S) to assist in improving defences and the overall threat landscape. 

 This series will  focus on TTP’s deployed by four ransomware families recently observed during NCC Group’s incident response engagements. The ransomware families that will be explored are: 

1. BlackCat – Also known as ALPHV, first observed in 2021, is a Ransomware-as-a-Service (Raas) often using the double extortion method for monetary gain.  

2. Donut –The D0nut extortion group was first reported in August 2022 [1] for breaching networks and demanding ransoms in return for not leaking stolen data. A few months later, reports of the group utilizing encryption as well as data exfiltration were released with speculation that the ransomware deployed by the group was linked to HelloXD ransomware [2]. There is also suspected links between D0nut affiliates and both Hive and Ragnar Locker ransomware operations.  

3. Medusa – Not to be confused with MedusaLocker, Medusa was first observed in 2021, is a Ransomware-as-a-Service (RaaS) often using the double extortion method for monetary gain. In 2023 the groups’ activity increased with the launch of the ‘Medusa Blog’. This platform serves as a tool for leaking data belonging to victims. 

4. NoEscape – At the end of May 2023, a newly emerged Ransomware-as-a-Service (RaaS) was observed on a cybercrime forum named NoEscape. 

Join us as we delve into the inner workings of these ransomware families, gaining a  better understanding of their motivations, attack vectors and TTPS. 

To begin our deep dive we will start with…  

Not so lucky: BlackCat is back! 

Summary

This first post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving BlackCat Ransomware.  

Below provides a summary of findings which are presented in this blog post: 

• Installation of various services. 
• Creation of new accounts. 
• Modification and deletion activity.  
• Credential dumping activity. 
• Use of remote access applications. 
• Data staging. 
• Presence of MEGAsync.  
• Analysis of the ransomware executable.

BlackCat

BlackCat ransomware, also known as ALPHV, is a Rust-based variant that was first seen in November 2021. BlackCat has been provided as a ransomware-as-a-service (RaaS) model and is an example of a double-extortion ransomware where data once encrypted, is exfiltrated and the victim is threatened to have their data published if the ransom is not paid [1]. The group behind BlackCat ransomware can be characterised as financially motivated. BlackCat ransomware targets no specific industry and has the capability to encrypt both Windows and Linux hosts. BlackCat ransomware uses AES to encrypt files or ChaCha20 if AES is not supported due to the hardware of the system [4].  

Incident Overview  

In this incident, the initial access vector was unknown. Prior to the execution of the ransomware, a wide variety of activity was observed such as the installation of new services, creation of new accounts and data staging. Data was believed to have been exfiltrated due to the techniques employed, however, no data was published to the leak site.  

Mitre TTPs  

Execution 

The threat actor installed various new services: 

• Total Software Deployment Audit Service 
• HWiNFO Kernel Driver 
• ScreenConnect Client 
• PSEXESVC 
• AteraAgent 
• WinRing0_1_2_0 
• Splashtop® Remote Service

Additionally, BlackCat ransomware uses wmic.exe Shadowcopy Deleteshadow_copy to delete shadow copies.  

Persistence 

Maintaining access to the victim’s environment was achieved by the threat actor creating a new Administrator account and a new default admin user, azure.  

Additionally, a Total Software Deployment Audit Service Windows service was installed (see below); likely to maintain persistence on the affected host. Total Software Deployment supports group deployment, maintenance, and uninstallation of software packages. BlackCat ransomware is known to use Total Software Deployment [3]. 

{“EventData”:{“Data”:[{“@Name”:”ServiceName”,”#text”:”Total Software Deployment Audit Service”},{“@Name”:”ImagePath”,”#text”:”\”%SystemRoot%\\TNIWINAGENT\\tniwinagent.exe\” /service /ip:<IP ADDRESS> /login:\”current\” /driver:2″},{“@Name”:”ServiceType”,”#text”:”user mode service”},{“@Name”:”StartType”,”#text”:”demand start”},{“@Name”:”AccountName”,”#text”:”LocalSystem”}]}} 

Defence Evasion 

The threat actor utilised various techniques to hide their tracks and evade detection: 

• Using an already existing administrator account to clear the following log files: 
  • System 
  • Windows PowerShell 
  • WitnessClientAdmin 
• The ransomware payload, min.exe, used wevtutil.exe cl. 
• Deleting the ransomware executable from C:\Users\azure\Desktop\min.exe. 
• The ransomware payload, min.exe, had the capability to add this registry key to maintain persistence: 
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters.
• The ransomware payload, min.exe, using fsutil behavior set SymlinkEvaluation R2R:1 to redirect file system access to a different location once access to the network is gained.

Credential Access 

Various techniques to gather credentials were employed by the threat actor.  

Due to the presence of Veeam in the victim’s environment, C:\PerfLogs\Veeam-Get-Creds.ps1 below was leveraged to recover passwords used by Veeam to connect to remote hosts.  

# About:  The script is designed to recover passwords used by Veeam to connect #         to remote hosts vSphere, Hyper-V, etc. The script is intended for  #         demonstration and academic purposes. Use with permission from the  #         system owner. # # Author: Konstantin Burov. # # Usage:  Run as administrator (elevated) in PowerShell on a host in a Veeam  #         server.  Add-Type -assembly System.Security  #Searching for connection parameters in the registry try {  $VeaamRegPath = "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\"  $SqlDatabaseName = (Get-ItemProperty -Path $VeaamRegPath -ErrorAction Stop).SqlDatabaseName   $SqlInstanceName = (Get-ItemProperty -Path $VeaamRegPath -ErrorAction Stop).SqlInstanceName  $SqlServerName = (Get-ItemProperty -Path $VeaamRegPath -ErrorAction Stop).SqlServerName } catch {  echo "Can't find Veeam on localhost, try running as Administrator"  exit -1 }  "" "Found Veeam DB on " + $SqlServerName + "\" + $SqlInstanceName + "@ 

{  $EnryptedPWD = [Convert]::FromBase64String($_.password)  $ClearPWD = [System.Security.Cryptography.ProtectedData]::Unprotect( $EnryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )  $enc = [system.text.encoding]::Default  $_.password = $enc.GetString($ClearPWD) } 

Additionally, the threat actor used ScreenConnect to transfer Mimikatz to a compromised host (see below).  

{"EventData":{"Data":"Transferred files with action 'Transfer':\nmimikatz.exe\n\nVersion: 23.4.5.8571\nExecutable Path: C:\\Program Files (x86)\\ScreenConnect Client (7d2615d1049a2b63)\\ScreenConnect.ClientService.exe\n","Binary":""}} 

Events like the above and any others related to ScreenConnect activity can be found in Application.evtx.  

Subsequently, evidence of a file named mimikatz.log was observed. It is highly likely Mimikatz was leveraged by the threat actor to harvest credentials.  

Finally, it is likely the threat actor enumerated C:\Windows\NTDS\ntds.dit as the following files were created: 1.txt.ntds, 1.txt.ntds.kerberos, 1.txt.ntds.cleartext. These files are from using Impacket [5].  

Discovery 

The threat actor used ScreenConnect to execute commands like ping <HOST NAME>.<DOMAIN NAME>.local. In some instances, the commands executed were not specified (see below) but a length of 33 can mean commands have been manually executed.  

{"EventData":{"Data":"Executed command of length: 33\n\nVersion: 23.4.5.8571\nExecutable Path: C:\\Program Files (x86)\\ScreenConnect Client (1b70ca7b560918ec)\\ScreenConnect.ClientService.exe\n","Binary":""}} 

At the same time on another host, net.exe and net1.exe were executed. As net is often used by threat actors to gather system and network information, it is possible ScreenConnect was used to gather this type of information.   

Analysis of the ransomware executable min.exe found that the UUID was obtained using: wmic csproduct get UUID. 

Lateral Movement 

The threat actor executed PsExec.exe. BlackCat has been known to use PsExec to replicate itself across connected servers [6].  

Collection 

Data staging was conducted by the threat actor as multiple .zip files were created that are believed to have been exfiltrated.  

Additionally, one of the accounts compromised by the threat actor executed WinRAR. Across the time period of interest, folders on multiple drives were modified; the threat actor potentially accessed these folders.  

Command and Control 

Remote access applications, particularly ScreenConnect, were heavily utilised by the threat actor. ScreenConnect was used to start remote sessions, execute commands and transfer files. The threat actor transferred the following files: mimikatz.exe, MEGAsyncSetup64.exe, tsd-setup.exe, 121.msi* and 212.msi*.  

*Note: Could not be recovered for analysis.   

Atera and Splashtop were also observed: 

• c:\program files (x86)\atera networks\ateraagent\ateraagent.exe. 
• Services: AteraAgent and WinRing0_1_2_0  
• C:\Windows\Temp\SplashtopStreamer.exe

Atera is used for remote monitoring and management and the Atera Agent is required for hosts to be monitored. It is likely Atera was used for persistence.  

Splashtop allows hosts to be remotely accessed and was likely used for persistence especially as the Splashtop® Remote Service was observed going online. Splashtop events are also located in Application.evtx.  

Exfiltration 

Data staging was observed as a technique used by the threat actor. Multiple .zip files were created at the same time within C:\PerfLogs. It is believed these .zip files were exfiltrated.  

For one of the compromised accounts, WinRAR was observed C:\Users\<USER>\Desktop\winrar-x64-621.exe. It is possible this utility was used for data exfiltration. 

MEGAsync is a legitimate cloud storage solution, however, it is often used by threat actors for exfiltrating data. Due to its presence in the victim’s environment, it is highly likely the threat actor used MEGA to exfiltrate data.  

MEGA was observed to once reside in the following locations: 

• C:\Users\<User>\AppData\Local\MEGAsync\MEGAsync.exe 
• C:\Users\<User>\Documents\ConnectWiseControl\Files\MEGAsyncSetup64.exe 
• C:\Users\<User>\Downloads\MEGAsyncSetup64.exe

Additionally, MEGA-related strings were recovered from the encrypted VMDKs: 

• MEGAsyncSetup64.exe 
• MEGAsync.exe 
• MEGA Website.lnk 
• MEGAsync.cfg.bak 
• MEGAsync.log 
• MEGAsync Update Task [SID] 
• MEGAsync.lnk

Impact 

BlackCat ransomware was deployed to the affected domain in the form of min.exe. Data was encrypted and .dujcsfd was appended to files. A ransom note was dropped onto the compromised Windows servers.  

min.exe 

PsExec was highly likely used to distribute the ransomware across the affected domain as BlackCat has a built-in PsExec module [7].  

Additionally, min.exe had the following command line options: 

• access-token: Access token. 
• paths: Only process files inside defined paths 
• no-net: Do not discover network shares on Windows. 
• no-prop : Do not self propagate (worm) on Windows. 
• no-wall: Do not update desktop wallpaper on Windows. 
• no-impers: Do not spawn impersonated processes on Windows. 
• no-vm-kill: Do not stop VMs on ESXI. 
• no-vm-snapshot-kill: Do not wipe VMs snapshots on EXSI. 
• no-vm-kill-names: Do not stop defined VMs on EXSI. 
• sleep-restart: Sleep for duration in seconds after successful run and then restart. 
• sleep-restart-duration: Keep soft persistence alive for duration in second. (24 hours by default). 
• sleep-restart-until: Keep soft persistence alive until defined UTC time in millis. (Defaults to 24 hours since launch). 
• no-prop-servers: Do not propagate to defined servers. 
• prop-file: Propagate specified file. 
• drop-drag-and-drop-target: Drop drag and drop target batch file. 
• drag-and-drop: Invoked with drag and drop. 
• log-file: Enable logging to specified file. 
• verbose: Log to console. 
• extra-verbose: Log more to console.  
• ui: Show user interface. 
• safeboot: Reboot in Safe Mode before running on Windows. 
• safeboot-network: Reboot in Safe Mode with Networking before running on Windows. 
• safeboot-instance: Run as safeboot instance on Windows. 
• propagated: Run as propagated process. 
• child: Run as child process.  
• bypass: Run as elevated process.  

The configuration of min.exe contained 23 elements [8]: 

• config_id: Configuration ID 
• extension: File extension appended to files.  
• public_key: RSA public key. 
• note_file_name: The file name of the ransom note.  
• note_full_text: The ransom note in full.  
• note_short_text: A shorter version of the ransom note.  
• Credentials: Credentials used by BlackCat. 
• default_file_mode: File encryption mode.  
• default_file_cipher: File encryption cipher.  
• kill_services: The services to terminate.  
• kill_processes: The processes to terminate.  
• exclude_directory_names: Does not encrypt the defined directories.   
• exclude_file_names: Does not encrypt the defined files. 
• exclude_file_extensions: Does not encrypt the defined extensions.  
• exclude_file_path_wildcard: Does not encrypt the defined file paths.  
• enable_network_discovery: Enable network discovery. 
• enable_self_propagation: Enable self propagation.  
• enable_set_wallpaper: Enable the desktop wallpaper to be changed.
• enable_esxi_vm_kill: Enable VM termination on EXSI. 
• enable_esxi_vm_snapshot_kill: Enable snapshot deletion on ESXI. 
• strict_include_paths: Hardcoded file paths to encrypt. 
• esxi_vm_kill_exclude: VMs to cluse on EXSI hosts.  
• sleep_restart: Sleep time before restarting.

Some of the files not encrypted include:  

• $windows.~bt 
• windows 
• windows.old 
• system volume information 
• boot 

The files below are some of the files included in the file name exclusion list: 

• ntuser.dat 
• autorun.inf 
• boot.ini 
• desktop.ini 

Below are some of the defined extensions that are not encrypted: 

• exe 
• drv 
• msc 
• dll 
• lock 
• sys 
• msu 
• lnk

T1489 – Service Stop [9] 

min.exe uses kill_processes to stop the following processes:  

• memtas 
• veeam 
• svc$ 
• backup 
• sql 
• vss 
• msexchange 

Additionally, kill_services is used to stop various services including but not limited to:  

• excel 
• firefox 
• infopath 
• isqlplussvc 
• msaccess 
• mspub 
• mydesktopqos 
• mydesktopservice 
• notepad 
• ocautoupds
• ocomm 
• ocssd 
• onenote 
• oracle 
• outlook
• powerpnt 
• sqbcoreservice 
• steam 
• synctime 
• tbirdconfig
• thebat 
• thunderbird 
• visio 
• winword 
• wordpad 
• xfssvccon 

T1490 – Inhibit System Recovery 

Various backups were modified by the threat actor using an already existing domain administrator account and subsequently, backups were then deleted. 

Analysis of the ransomware executable, min.exe, indicated that BlackCat uses the below Windows utilities to inhibit system recovery: 

Windows Utility	Description
wmic.exe Shadowcopy Deleteshadow_copy	To delete shadow copies
iisreset.exe /stop	To stop all the running IIS services
bcdedit /set recoveryenabled No	To modify the boot configuration data
vssadmin.exe Delete Shadows /all /quiet	To delete all volume shadow copies

T1491.001 – Defacement: Internal Defacement 

A desktop wallpaper, RECOVER-dujcsfd-FILES.txt.png, was dropped on some of the compromised Windows servers. 

Indicators of Compromise 

IOC Value	Indicator Type	Description
7282dad776ad387028ae7b6d359b2d2d0b17af0e	SHA1	C:\PerfLogs\min.exe (Ransomware executable)
3E2272B916DA4BE3C120D17490423230AB62C174	SHA1	C:\PerfLogs\PsExec.exe
DA39A3EE5E6B4B0D3255BFEF95601890AFD80709	SHA1	C:\PerfLogs\Veeam-Get-Creds.ps1
C:\Users\<User>\Downloads\MEGAsyncSetup64.exe	File Path	MEGA
C:\Program Files (x86)\ScreenConnect Client C:\Program Files (x86)\Splashtop C:\Program Files\ATERA Networks	File Path	Remote Access Applications
C:\Users\<User>\Documents\ConnectWiseControl\Files\mimikatz.exe C:\Users\<User>\Documents\ConnectWiseControl\Files\MEGAsyncSetup64.exe C:\Users\<User>\Documents\ConnectWiseControl\Files\tsd-setup.exe	File Path	Files transferred using ScreenConnect.

MITRE ATT CK® 

Tactic	Technique	ID	Description
Execution	Windows Management Instrumentation	T1047	WMIC.exe is used to delete shadow copies.
Execution	System Services: Service Execution	T1569.002	Various services installed.
Persistence	Create Account: Local Account	T1136.001	Creation of new accounts.
Persistence	Create or Modify System Process: Windows Service	T1543.003	Total Software Deployment installed as a new service.
Defense Evasion	Indicator Removal: Clear Windows Event Logs	T1070.001	Cleared logs. Ransomware payload uses wevtutil.exe cl.
Defense Evasion	Indicator Removal: File Deletion	T1070.004	The ransomware executable was deleted.
Defense Evasion	Modify Registry	T1112	Adding a registry key to maintain persistence.
Defense Evasion	File and Directory Permissions Modification: Windows File and Directory Permissions Modification	T1222.001	Using fsutil to redirect file system access to a different location once access to the network is gained.
Credential Access	OS Credential Dumping	T1003	Using a PowerShell script to retrieve Veeam credentials.
Credential Access	OS Credential Dumping: LSASS Memory	T1003.001	Mimikatz.
Credential Access	OS Credential Dumping: NTDS	T1003.003	Impacket usage to enumerate the NTDS.dit.
Discovery	Remote System Discovery	T1018	Ping usage.
Discovery	System Owner/User Discovery	T1033	Using ScreenConnect to execute commands.
Discovery	System Information Discovery	T1082	Obtain the UUID.
Lateral Movement	Lateral Tool Transfer	T1570	Execution PsExec to move laterally.
Collection	Data Staged: Local Data Staging	T1074.001	Creation of multiple .zip files.
Collection	Archive Collected Data: Archive via Utility	T1560.001	Observation of WinRAR.
Command and Control	Remote Access Software	T1219	Presence of ScreenConnect, Atera and Splashtop
Exfiltration	Data Staged: Local Data Staging	T1074.001	Multiple .zip files within C:\PerfLogs.
Exfiltration	Exfiltration Over Web Service: Exfiltration to Cloud Storage	T1567.002	Presence of MEGAsync.
Impact	Data Encrypted for Impact	T1486	Deployment of BlackCat ransomware.
Impact	Inhibit System Recovery	T1490	Modification/deletion of backups.  Delete volume shadow copies. Stop running IIS services. Modify the boot configuration data.
Impact	Defacement: Internal Defacement	T1491.001	RECOVER-dujcsfd-FILES.txt.png was dropped as desktop wallpaper.

References 

[1] https://www.bleepingcomputer.com/news/security/new-donut-leaks-extortion-gang-linked-to-recent-ransomware-attacks/ 

[2] https://www.bleepingcomputer.com/news/security/donut-extortion-group-also-targets-victims-with-ransomware/&nbsp;

[3] https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/ 

[4] https://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/ 

[5] https://twitter.com/MsftSecIntel/status/1692212191536066800 

[6] https://attack.mitre.org/software/S1068/  

[7] https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat  

[8] https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack 

[9] https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/ 

Here are some related articles you may find interesting

View articles by category

Call us before you need us.

Our experts will help you.

Get in touch