Unpacking the rise of BlackCat ransomware: High victim count, high payouts, customized features
Despite being a relative newcomer, the BlackCat ransomware family is moving up the list of the most prolific operators in the space, according to a report from Palo Alto Network’s Unit 42 threat intelligence unit.
The group’s latest report, published Thursday and first reported by CyberScoop, found that as of December 2021, BlackCat has the seventh-most victims among all ransomware groups Unit 42 tracks, a remarkable feat considering that BlackCat initially garnered notice in mid-November 2021.
“This highlights a worrying trend that newcomers (or reformed groups) can attack many victims in a short space of time,” the researchers wrote.
BlackCat is a typical ransomware group in some ways, but has novel aspects that Unit 42 analyzed. Its ransomware is written in Rust, a computer coding language growing in popularity for its web application benefits, memory management and efficiency. Rust has been used in malware in the past, but BlackCat might be the first ransomware to use it in the wild, the researchers wrote, building off previous findings from early December 2021 by Recorded Future and MalwareHunterteam.
“Given its numerous native options, Rust is highly customizable, which facilitates the ability to pivot and individualize attacks,” they wrote.
BlackCat also offers a higher return for affiliates. Ransomware as a service is not uncommon, but BlackCat’s offer to let affiliates keep 80% to 90% of ransom payments, with the remainder going to the BlackCat author, may help explain its growth.
Ransoms are also an interesting feature of BlackCat’s rise, the researchers note: Affiliates using the malware have been observed asking for as much as $14 million in bitcoin or monero, nearly three times the average ransom demand of $5.3 million asked for in the first half of 2021, Unit 42 reports.
“BlackCat is an innovative and sophisticated ransomware family,” the researchers wrote, “that is rapidly forming a reputation for its highly customized and individualized attacks.”
It’s fairly standard in other regards: The victims posted to its leak site span a range of industries in the U.S., Europe and the Philippines such as construction, engineering, retail, transportation, pharmaceuticals and others, suggesting a somewhat opportunistic approach. It also employs a so-called double extortion method, where a target’s data not only has been encrypted, the group also threatens to publish stolen data to cause embarrassment for the target.
In some cases the group also threatens to launch distributed denial-of-service (DDoS) attacks against the target, which would overwhelm its website and prevent legitimate traffic from getting through.
Signs point to at least a Russian element to BlackCat. The group advertises in Russian-speaking forums, and the malware is written in Russian, Palo Alto Networks said. As the West threatens Russia over its hostilities toward Ukraine, the Kremlin has been publicizing law enforcement actions against hacking groups operating on its soil, most recently leaders of the Infraud Organization.