Threat Signal Report

Meet Blackcat: New Ransomware Written in Rust on the Block

Description

FortiGuard Labs is aware of reports that a new ransomware called Blackcat, also known as ALPHV, was spotted in the wild. Blackcat is a yet another ransomware-as-a-service (RaaS) that recruit affiliates for corporate intrusions, encrypting files on the victim's network and stealing confidential files from it in order to get ransom. The ransomware could be the first malware written in Rust programming language.

Why is this Significant?

This is significant as Blackcat (ALPHV) is a new ransomware that has reportedly claimed victims already. Because it is a RaaS, it recruits affiliates, some of which may already have access to corporate networks. Also, this ransomware could be the first malware written in Rust programming language.

What is Blackcat (ALPHV) Ransomware?

According to BleepingComputer, Blackcat ransomware was recently advertised on Russian-speaking hacking forums. The ransomware "is entirely command-line driven, human-operated, and highly configurable, with the ability to use different encryption routines, spread between computers, kill virtual machines and ESXi VMs, and automatically wipe ESXi snapshots to prevent recovery".

Before encrypting files on the compromised machine, the ransomware terminates processes and Windows services to ensure targeted files are not locked. It also steals files from the affected machine. The attacker then demands ransom in Bitcoin or Monero from the victim for file decryption and not releasing the stolen files to the public. Reportedly, the attacker also asks ransom for not launching Distributed Denial of Service (DDoS) against the victim.

The infection vector for Blackcat ransomware varies from an affiliate to affiliate. Typically, ransomware is deployed from another malware delivered via email, the exploitation of vulnerabilities or unsecured Remote Desktop Protocol (RDP) connections.

What is Rust?

Rust is a programming language that was developed as an alternative to C/C++ in Mozilla. Rust is designed with safety and efficient resource management in mind. All the functionality of C and resource management of Java without the inherent memory security risks of the former and the performance issues of the latter. In February 2021, the Rust foundation was found as a non-profit organization whose primary focus is "to steward the Rust programming language and ecosystem, with a unique focus on supporting the set of maintainers that govern and develop the project".

What is the Status of Coverage?

FortiGuard Labs provide the following AV coverage against Blackcat (ALPHV) ransomware:

W32/Filecoder.OJP!tr

W32/PossibleThreat