BlackCat Ransomware

Based on our profiling analysis, the site is largely operated by east-European individuals based on sentence structure. The communiction site also offers an intermediary access (private access to negotiators). Primary motivation is based on monetary gain and the group offers access to their encryption software (aka Malware aka Ransomware) on a paid and commission based subscription model (RaaS). The group has no political interests but CYPFER has noticed that no attacks against Russian/Ukrainian or other East-European attacks were evident or supported by the group.

NOTE:  Whenever a ransomware group offers “private access” to negotiators, ensure that you request full transcript of any out of band communications. Transparency throughout the negotiation process is critical to keep victims informed of any communication protocols, decisions and information that might be critical not only to the negotiation process itself but also to the investigation into the incident and to ensure the client is able to lock down any vulnerabilities in their environment.

• BLACKCAT operators are not limiting themselves to specific attack types, but have been seen exploiting both external Internet facing assets using some of the latest exploits such as Log4j but also using brute force of remote access capabilties. Some attacks were identified using phishing techniques to establish initial foothold.
• COMMUNICATION PROTOCOLS: BLACKCAT communications take place primarily over the groups web-chat that is accessible through TOR. Each victim organization is provided with a unique key to access the chat-room. Initial discount is offered for a specific period and typically is 25% of the initial demand.
• INITIAL DEMANDS: BlackCat demands on average begin around $1,000,000. This number may vary between each matter as the demands are typically based on what the threat actors believe the company can afford to pay. Initial discounts are at 25% but are time limited.
• FINAL DEMANDS: BlackCat operators or affiliates have full decision control of the final amount. Discounts depend on a variety of factors including the ability to negotiate appropriately with the affiliates, duration of the negotiations and other factors. Further discounts of sometimes 50-70% are possible but are dependant on the matter.
• DURATION: Negotiation durations with BlackCat are relatively quick and can run from 2 days to 8 days.

DECRYPTION:BlackCat decryptor is 91% effective in decrypting files. Speed of decryption is dependant upon a number of factors including hardware capabilities and size of encrypted files. Decryptors are offered for a variety of operating systems including Windows, Linux, ESXI and ARM Speed of decryptor is MEDIUM.

RECOVERY and REMEDIATION: CYPFER’s post breach recovery teams have worked a number of BlacCat matters, and recovery of an environment while it depends on impact, hardware capacity and available resources will typically take 5-10 business days.