Threat Analysis Unit - Threat Intelligence Notification
Title: BlackCat Ransomware
Summary
A newly discovered BlackCat ransomware threatens to leak victim’s data if they do not pay the demanded amount of ransom to the attacker. It also deletes the volume shadow copies, preventing victims from recovering their data. BlackCat also has the ability to propagate in networks for infecting more machines.
Behavioral Summary
BlackCat Ransomware may append extensions like “.sykffle” to each of the encrypted files.Other than that, it will also create a ransom note in every folder named “RECOVER-sykffle-FILES.txt” as shown in Figure 1.
Figure 1. Ransom note of BlackCat ransomware
BlackCat also replaces the user’s wallpaper with the image shown in Figure 2.
Figure 2. Screenshot of the ransom note set as wallpaper
It tries to delete shadow copies with vssadmin with below command line:
vssadmin.exe delete shadows /all /quiet
BlackCat also runs the below command to retrieve the unique ID for a victims machine, for identifying data when paying the ransom:
wmic csproduct get UUID
For network propagation BlackCat uses PsExec with embedded administrative credentials to mount the hidden partitions.
Below, in Table 1, is the list of directories it excludes from encryption.
|
system volume information
|
program files
|
tor browser
|
|
intel
|
$windows.~bt
|
programdata
|
|
$windows.~ws
|
public
|
boot
|
|
application data
|
msocache
|
config.msi
|
|
$recycle.bin
|
windows
|
google
|
|
mozilla
|
default
|
perflogs
|
|
program files (x86)
|
all users
|
appdata
|
|
windows.old
|
|
|
Table 1. List of directories excluded
The list of filenames BlackCat excluded while encrypting is shown in Table 2.
|
desktop.ini
|
ntuser.dat
|
|
autorun.inf
|
iconcache.db
|
|
ntldr
|
bootfont.bin
|
|
bootsect.bak
|
ntuser.ini
|
|
thumbs.db
|
ntuser.dat.log
|
|
boot.ini
|
|
Table 2. List of filenames excluded
The list of extensions BlackCat excluded while encrypting is shown in Table 3.
|
themepack
|
rtp
|
wpx
|
bin
|
shs
|
|
nls
|
msp
|
hlp
|
cmd
|
ldf
|
|
diagpkg
|
prf
|
icns
|
ani
|
theme
|
|
msi
|
msc
|
rom
|
386
|
mpa
|
|
lnk
|
ico
|
dll
|
lock
|
nomedia
|
|
exe
|
key
|
msstyles
|
cur
|
spl
|
|
cab
|
ocx
|
mod
|
idx
|
cpl
|
|
scr
|
diagcab
|
ps1
|
sys
|
adv
|
|
bat
|
diagcfg
|
ics
|
com
|
icl
|
|
drv
|
pdb
|
hta
|
deskthemepack
|
msu
|
Table 3. List of extensions excluded
In addition, BlackCat ransomware would terminate several processes listed in Table 4:
|
encsvc
|
synctime
|
excel
|
ocautoupds
|
|
thebat
|
notepad
|
powerpnt
|
dbsnmp
|
|
mydesktopqos
|
ocomm
|
outlook
|
msaccess
|
|
xfssvccon
|
onenote
|
wordpad
|
tbirdconfig
|
|
firefox
|
mspub
|
dbeng50
|
ocssd
|
|
infopath
|
thunderbird
|
isqlplussvc
|
mydesktopservice
|
|
winword
|
agntsvc
|
sqbcoreservice
|
visio
|
|
steam
|
sql
|
oracle
|
sql*
|
Table 4. List of processes terminated before encryption
BlackCat ransomware also stops several services listed in Table 5.
|
mepocs
|
sql
|
|
memtas
|
vss
|
|
veeam
|
msexchange
|
|
svc$
|
sql*
|
|
backup
|
|
Table 5. List of services stopped before encryption
Customer Protection
BlackCat Ransomware is blocked and detected by existing policies within VMware Carbon Black products. To learn more about further ransomware behaviour, detection and protection capabilities within the VMware Carbon Black suite of products against BlackCat Ransomware, you may refer to the following blog post:
TAU-TIN - Ransomware Threats
MITRE ATT&CK TIDs
|
TID
|
Tactic
|
Description
|
|
T1057
|
Discovery
|
Process Discovery
|
|
T1059.003
|
Execution
|
Command and Scripting Interpreter: Windows Command Shell
|
|
T1083
|
Discovery
|
File and Directory Discovery
|
|
T1486
|
Impact
|
Data Encrypted for Impact
|
|
T1489
|
Impact
|
Service Stop
|
Table 6. MITRE ATT&CK TIDs
Indicators of Compromise (IOCs)
|
Indicator
|
Type
|
Context
|
|
cefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae
|
SHA256
|
BlackCat Ransomware
|
|
e17dc8062742878b0b5ced2145311929f6f77abd
|
SHA1
|
BlackCat Ransomware
|
|
ff56e700d15f3d944424c295eae926d9
|
MD5
|
BlackCat Ransomware
|
Table 7. Indicator of compromise
About TAU-TIN
TAU-TIN (Threat Analysis Unit - Threat Intelligence Notification) is a report by Carbon Black's TAU (Threat Analysis Unit) to help customers detect and prevent emerging threats.
To receive future notifications, navigate to the TAU-TIN label on UeX and then click Subscribe.