Threat Signal Report

Meet Blackcat: New Ransomware Written in Rust on the Block

description-logo Description

FortiGuard Labs is aware of reports that a new ransomware called Blackcat, also known as ALPHV, was spotted in the wild. Blackcat is a yet another ransomware-as-a-service (RaaS) that recruit affiliates for corporate intrusions, encrypting files on the victim's network and stealing confidential files from it in order to get ransom. The ransomware could be the first malware written in Rust programming language.


Why is this Significant?

This is significant as Blackcat (ALPHV) is a new ransomware that has reportedly claimed victims already. Because it is a RaaS, it recruits affiliates, some of which may already have access to corporate networks. Also, this ransomware could be the first malware written in Rust programming language.


What is Blackcat (ALPHV) Ransomware?

According to BleepingComputer, Blackcat ransomware was recently advertised on Russian-speaking hacking forums. The ransomware "is entirely command-line driven, human-operated, and highly configurable, with the ability to use different encryption routines, spread between computers, kill virtual machines and ESXi VMs, and automatically wipe ESXi snapshots to prevent recovery".


Before encrypting files on the compromised machine, the ransomware terminates processes and Windows services to ensure targeted files are not locked. It also steals files from the affected machine. The attacker then demands ransom in Bitcoin or Monero from the victim for file decryption and not releasing the stolen files to the public. Reportedly, the attacker also asks ransom for not launching Distributed Denial of Service (DDoS) against the victim.


The infection vector for Blackcat ransomware varies from an affiliate to affiliate. Typically, ransomware is deployed from another malware delivered via email, the exploitation of vulnerabilities or unsecured Remote Desktop Protocol (RDP) connections.


What is Rust?

Rust is a programming language that was developed as an alternative to C/C++ in Mozilla. Rust is designed with safety and efficient resource management in mind. All the functionality of C and resource management of Java without the inherent memory security risks of the former and the performance issues of the latter. In February 2021, the Rust foundation was found as a non-profit organization whose primary focus is "to steward the Rust programming language and ecosystem, with a unique focus on supporting the set of maintainers that govern and develop the project".


What is the Status of Coverage?

FortiGuard Labs provide the following AV coverage against Blackcat (ALPHV) ransomware:

W32/Filecoder.OJP!tr

W32/PossibleThreat


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.