BLACK CAT – NEW RUST-BASED RANSOMWARE

Ransomware can beat COVID-19 at its own game; the mutants, the variants, the infection and plaguing the world with no solution. It is a war of attrition. While in the war against pandemic, we can see visible gains and better understanding and response with time, possibly these encouraging positives are not visible in our war against ransomware pandemic. It is showing dangerous proportions. Hackers seem to be technically most proficient. Of late details have emerged of the first Rust-language-based ransomware strain. The strain has been spotted in the wild and has been dubbed as BlackCat. It has so far amassed some victims in different countries since its launch only a month back.

Why do hackers go in for new languages, is a commonplace question?  The trend for sure is growing. This development signals the mindset of the threat actors. They have been adopting lesser-known programming languages such as Dlang, Go, Nim and Rust. The purpose is to bypass security protections, evade analysis, and create a bottleneck in the reverse engineering efforts. Another specifically for Rust is its capability to achieve high performance compared to the well-established ones: C and C++. It also provides *memory safety guarantees. This feature can be leveraged to create malware that is less susceptible to exploitation and render them useless.

Not sure as to who detected this malware, it was disclosed by MalwareHunterTeam. The researchers explained  the file encrypting malware in a series of tweets. The victims were asked to pay in Bitcoin or Monero. The interesting facet of this whole game is that they are giving the credentials to intermediaries for negotiations. This takes the ransomware negotiations to a different level and also speaks of the mechanism they have created for this purpose. BlackCat is akin to many of its better known variants, and operates as a ransomware-as-a-service(Raas).  Affiliates are recruited by the core developers to breach corporate environments and encrypt files. Before this, the said documents are stolen as a part of a double extortion scheme; ransom for the encrypted data and risk exposure of the stolen, which can play out in most imaginative ways against you.

South Korean Cybersecurity company analyzed BlackCat, which conducts its malicious actions by referring to internal configuration files, as others. It has similarities with BlackMatter, a malware which emerged from the ashes of DarkSide. The standard modus operandi of these gangs is to go underground, regroup and resurface. BlackCat might not turn out to be just a BlackMatter rebrand; the difference is in programming language used and the myriad execution options.* What is also important is the DarkWeb infrastructure maintained by the actor. The ransomware actor is also said to be operating five onion domains, three of which function as the group’s negotiation site, with the rest categorized as an “Alphv” public leak site and a private leak site.

ARE THE LAW ENFORCEMENT AGENCIES NOW LOST IN THEIR OWN GAME?

Sanjay Sahay