Skip to navigation Skip to main content Skip to footer

Unveiling the Dark Side: A Deep Dive into Active Ransomware Families 

Not so lucky: BlackCat is back! 

Authors: Alex Jessop @ThisIsFineChief , Molly Dewis 

While the main trend in the cyber threat landscape in recent months has been MoveIt and Cl0p, NCC Groups’ Cyber Incident Response Team have also been handling multiple different ransomware groups over the same period.  

In the ever-evolving cybersecurity landscape, one consistent trend witnessed in recent years is the unsettling rise in ransomware attacks. These nefarious acts of digital extortion have left countless victims scrambling to safeguard their data, resources, and even their livelihoods. To counter this threat, every person in the cyber security theatre has a responsibility to shine light on current threat actor Tactics, Techniques and Procedures (TTP’S) to assist in improving defences and the overall threat landscape. 

 This series will  focus on TTP’s deployed by four ransomware families recently observed during NCC Group’s incident response engagements. The ransomware families that will be explored are: 

  1. BlackCat – Also known as ALPHV, first observed in 2021, is a Ransomware-as-a-Service (Raas) often using the double extortion method for monetary gain.  
  1. Donut –The D0nut extortion group was first reported in August 2022 [1] for breaching networks and demanding ransoms in return for not leaking stolen data. A few months later, reports of the group utilizing encryption as well as data exfiltration were released with speculation that the ransomware deployed by the group was linked to HelloXD ransomware [2]. There is also suspected links between D0nut affiliates and both Hive and Ragnar Locker ransomware operations.  
  1. Medusa – Not to be confused with MedusaLocker, Medusa was first observed in 2021, is a Ransomware-as-a-Service (RaaS) often using the double extortion method for monetary gain. In 2023 the groups’ activity increased with the launch of the ‘Medusa Blog’. This platform serves as a tool for leaking data belonging to victims. 
  1. NoEscape – At the end of May 2023, a newly emerged Ransomware-as-a-Service (RaaS) was observed on a cybercrime forum named NoEscape. 

Join us as we delve into the inner workings of these ransomware families, gaining a  better understanding of their motivations, attack vectors and TTPS. 

To begin our deep dive we will start with…  

Not so lucky: BlackCat is back! 

Summary

This first post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving BlackCat Ransomware.  

Below provides a summary of findings which are presented in this blog post: 

  • Installation of various services. 
  • Creation of new accounts. 
  • Modification and deletion activity.  
  • Credential dumping activity. 
  • Use of remote access applications. 
  • Data staging. 
  • Presence of MEGAsync.  
  • Analysis of the ransomware executable.

BlackCat

BlackCat ransomware, also known as ALPHV, is a Rust-based variant that was first seen in November 2021. BlackCat has been provided as a ransomware-as-a-service (RaaS) model and is an example of a double-extortion ransomware where data once encrypted, is exfiltrated and the victim is threatened to have their data published if the ransom is not paid [1]. The group behind BlackCat ransomware can be characterised as financially motivated. BlackCat ransomware targets no specific industry and has the capability to encrypt both Windows and Linux hosts. BlackCat ransomware uses AES to encrypt files or ChaCha20 if AES is not supported due to the hardware of the system [4].  

Incident Overview  

In this incident, the initial access vector was unknown. Prior to the execution of the ransomware, a wide variety of activity was observed such as the installation of new services, creation of new accounts and data staging. Data was believed to have been exfiltrated due to the techniques employed, however, no data was published to the leak site.  

Mitre TTPs  

Execution 

The threat actor installed various new services: 

  • Total Software Deployment Audit Service 
  • HWiNFO Kernel Driver 
  • ScreenConnect Client 
  • PSEXESVC 
  • AteraAgent 
  • WinRing0_1_2_0 
  • Splashtop® Remote Service

Additionally, BlackCat ransomware uses wmic.exe Shadowcopy Deleteshadow_copy to delete shadow copies.  

Persistence 

Maintaining access to the victim’s environment was achieved by the threat actor creating a new Administrator account and a new default admin user, azure.  

Additionally, a Total Software Deployment Audit Service Windows service was installed (see below); likely to maintain persistence on the affected host. Total Software Deployment supports group deployment, maintenance, and uninstallation of software packages. BlackCat ransomware is known to use Total Software Deployment [3]. 

{“EventData”:{“Data”:[{“@Name”:”ServiceName”,”#text”:”Total Software Deployment Audit Service”},{“@Name”:”ImagePath”,”#text”:”\”%SystemRoot%\\TNIWINAGENT\\tniwinagent.exe\” /service /ip: /login:\”current\” /driver:2″},{“@Name”:”ServiceType”,”#text”:”user mode service”},{“@Name”:”StartType”,”#text”:”demand start”},{“@Name”:”AccountName”,”#text”:”LocalSystem”}]}} 

Defence Evasion 

The threat actor utilised various techniques to hide their tracks and evade detection: 

  • Using an already existing administrator account to clear the following log files: 
    • System 
    • Windows PowerShell 
    • WitnessClientAdmin 
  • The ransomware payload, min.exe, used wevtutil.exe cl. 
  • Deleting the ransomware executable from C:\Users\azure\Desktop\min.exe. 
  • The ransomware payload, min.exe, had the capability to add this registry key to maintain persistence: 
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters.
  • The ransomware payload, min.exe, using fsutil behavior set SymlinkEvaluation R2R:1 to redirect file system access to a different location once access to the network is gained.

Credential Access 

Various techniques to gather credentials were employed by the threat actor.  

Due to the presence of Veeam in the victim’s environment, C:\PerfLogs\Veeam-Get-Creds.ps1 below was leveraged to recover passwords used by Veeam to connect to remote hosts.  

# About:  The script is designed to recover passwords used by Veeam to connect #         to remote hosts vSphere, Hyper-V, etc. The script is intended for  #         demonstration and academic purposes. Use with permission from the  #         system owner. # # Author: Konstantin Burov. # # Usage:  Run as administrator (elevated) in PowerShell on a host in a Veeam  #         server.  Add-Type -assembly System.Security  #Searching for connection parameters in the registry try {  $VeaamRegPath = "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\"  $SqlDatabaseName = (Get-ItemProperty -Path $VeaamRegPath -ErrorAction Stop).SqlDatabaseName   $SqlInstanceName = (Get-ItemProperty -Path $VeaamRegPath -ErrorAction Stop).SqlInstanceName  $SqlServerName = (Get-ItemProperty -Path $VeaamRegPath -ErrorAction Stop).SqlServerName } catch {  echo "Can't find Veeam on localhost, try running as Administrator"  exit -1 }  "" "Found Veeam DB on " + $SqlServerName + "\" + $SqlInstanceName + "@ 
{  $EnryptedPWD = [Convert]::FromBase64String($_.password)  $ClearPWD = [System.Security.Cryptography.ProtectedData]::Unprotect( $EnryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )  $enc = [system.text.encoding]::Default  $_.password = $enc.GetString($ClearPWD) } 

Additionally, the threat actor used ScreenConnect to transfer Mimikatz to a compromised host (see below).  

{"EventData":{"Data":"Transferred files with action 'Transfer':\nmimikatz.exe\n\nVersion: 23.4.5.8571\nExecutable Path: C:\\Program Files (x86)\\ScreenConnect Client (7d2615d1049a2b63)\\ScreenConnect.ClientService.exe\n","Binary":""}} 

Events like the above and any others related to ScreenConnect activity can be found in Application.evtx.  

Subsequently, evidence of a file named mimikatz.log was observed. It is highly likely Mimikatz was leveraged by the threat actor to harvest credentials.  

Finally, it is likely the threat actor enumerated C:\Windows\NTDS\ntds.dit as the following files were created: 1.txt.ntds, 1.txt.ntds.kerberos, 1.txt.ntds.cleartext. These files are from using Impacket [5].  

Discovery 

The threat actor used ScreenConnect to execute commands like ping ..local. In some instances, the commands executed were not specified (see below) but a length of 33 can mean commands have been manually executed.  

{"EventData":{"Data":"Executed command of length: 33\n\nVersion: 23.4.5.8571\nExecutable Path: C:\\Program Files (x86)\\ScreenConnect Client (1b70ca7b560918ec)\\ScreenConnect.ClientService.exe\n","Binary":""}} 

At the same time on another host, net.exe and net1.exe were executed. As net is often used by threat actors to gather system and network information, it is possible ScreenConnect was used to gather this type of information.   

Analysis of the ransomware executable min.exe found that the UUID was obtained using: wmic csproduct get UUID. 

Lateral Movement 

The threat actor executed PsExec.exe. BlackCat has been known to use PsExec to replicate itself across connected servers [6].  

Collection 

Data staging was conducted by the threat actor as multiple .zip files were created that are believed to have been exfiltrated.  

Additionally, one of the accounts compromised by the threat actor executed WinRAR. Across the time period of interest, folders on multiple drives were modified; the threat actor potentially accessed these folders.  

Command and Control 

Remote access applications, particularly ScreenConnect, were heavily utilised by the threat actor. ScreenConnect was used to start remote sessions, execute commands and transfer files. The threat actor transferred the following files: mimikatz.exe, MEGAsyncSetup64.exe, tsd-setup.exe, 121.msi* and 212.msi*.  

*Note: Could not be recovered for analysis.   

Atera and Splashtop were also observed: 

  • c:\program files (x86)\atera networks\ateraagent\ateraagent.exe. 
  • Services: AteraAgent and WinRing0_1_2_0  
  • C:\Windows\Temp\SplashtopStreamer.exe

Atera is used for remote monitoring and management and the Atera Agent is required for hosts to be monitored. It is likely Atera was used for persistence.  

Splashtop allows hosts to be remotely accessed and was likely used for persistence especially as the Splashtop® Remote Service was observed going online. Splashtop events are also located in Application.evtx.  

Exfiltration 

Data staging was observed as a technique used by the threat actor. Multiple .zip files were created at the same time within C:\PerfLogs. It is believed these .zip files were exfiltrated.  

For one of the compromised accounts, WinRAR was observed C:\Users\\Desktop\winrar-x64-621.exe. It is possible this utility was used for data exfiltration. 

MEGAsync is a legitimate cloud storage solution, however, it is often used by threat actors for exfiltrating data. Due to its presence in the victim’s environment, it is highly likely the threat actor used MEGA to exfiltrate data.  

MEGA was observed to once reside in the following locations: 

  • C:\Users\\AppData\Local\MEGAsync\MEGAsync.exe 
  • C:\Users\\Documents\ConnectWiseControl\Files\MEGAsyncSetup64.exe 
  • C:\Users\\Downloads\MEGAsyncSetup64.exe

Additionally, MEGA-related strings were recovered from the encrypted VMDKs: 

  • MEGAsyncSetup64.exe 
  • MEGAsync.exe 
  • MEGA Website.lnk 
  • MEGAsync.cfg.bak 
  • MEGAsync.log 
  • MEGAsync Update Task [SID] 
  • MEGAsync.lnk

Impact 

BlackCat ransomware was deployed to the affected domain in the form of min.exe. Data was encrypted and .dujcsfd was appended to files. A ransom note was dropped onto the compromised Windows servers.  

min.exe 

PsExec was highly likely used to distribute the ransomware across the affected domain as BlackCat has a built-in PsExec module [7].  

Additionally, min.exe had the following command line options: 

  • access-token: Access token. 
  • paths: Only process files inside defined paths 
  • no-net: Do not discover network shares on Windows. 
  • no-prop : Do not self propagate (worm) on Windows. 
  • no-wall: Do not update desktop wallpaper on Windows. 
  • no-impers: Do not spawn impersonated processes on Windows. 
  • no-vm-kill: Do not stop VMs on ESXI. 
  • no-vm-snapshot-kill: Do not wipe VMs snapshots on EXSI. 
  • no-vm-kill-names: Do not stop defined VMs on EXSI. 
  • sleep-restart: Sleep for duration in seconds after successful run and then restart. 
  • sleep-restart-duration: Keep soft persistence alive for duration in second. (24 hours by default). 
  • sleep-restart-until: Keep soft persistence alive until defined UTC time in millis. (Defaults to 24 hours since launch). 
  • no-prop-servers: Do not propagate to defined servers. 
  • prop-file: Propagate specified file. 
  • drop-drag-and-drop-target: Drop drag and drop target batch file. 
  • drag-and-drop: Invoked with drag and drop. 
  • log-file: Enable logging to specified file. 
  • verbose: Log to console. 
  • extra-verbose: Log more to console.  
  • ui: Show user interface. 
  • safeboot: Reboot in Safe Mode before running on Windows. 
  • safeboot-network: Reboot in Safe Mode with Networking before running on Windows. 
  • safeboot-instance: Run as safeboot instance on Windows. 
  • propagated: Run as propagated process. 
  • child: Run as child process.  
  • bypass: Run as elevated process.  

The configuration of min.exe contained 23 elements [8]: 

  • config_id: Configuration ID 
  • extension: File extension appended to files.  
  • public_key: RSA public key. 
  • note_file_name: The file name of the ransom note.  
  • note_full_text: The ransom note in full.  
  • note_short_text: A shorter version of the ransom note.  
  • Credentials: Credentials used by BlackCat. 
  • default_file_mode: File encryption mode.  
  • default_file_cipher: File encryption cipher.  
  • kill_services: The services to terminate.  
  • kill_processes: The processes to terminate.  
  • exclude_directory_names: Does not encrypt the defined directories.   
  • exclude_file_names: Does not encrypt the defined files. 
  • exclude_file_extensions: Does not encrypt the defined extensions.  
  • exclude_file_path_wildcard: Does not encrypt the defined file paths.  
  • enable_network_discovery: Enable network discovery. 
  • enable_self_propagation: Enable self propagation.  
  • enable_set_wallpaper: Enable the desktop wallpaper to be changed.
  • enable_esxi_vm_kill: Enable VM termination on EXSI. 
  • enable_esxi_vm_snapshot_kill: Enable snapshot deletion on ESXI. 
  • strict_include_paths: Hardcoded file paths to encrypt. 
  • esxi_vm_kill_exclude: VMs to cluse on EXSI hosts.  
  • sleep_restart: Sleep time before restarting.

Some of the files not encrypted include:  

  • $windows.~bt 
  • windows 
  • windows.old 
  • system volume information 
  • boot 

The files below are some of the files included in the file name exclusion list: 

  • ntuser.dat 
  • autorun.inf 
  • boot.ini 
  • desktop.ini 

Below are some of the defined extensions that are not encrypted: 

  • exe 
  • drv 
  • msc 
  • dll 
  • lock 
  • sys 
  • msu 
  • lnk

T1489 – Service Stop [9] 

min.exe uses kill_processes to stop the following processes:  

  • memtas 
  • veeam 
  • svc$ 
  • backup 
  • sql 
  • vss 
  • msexchange 

Additionally, kill_services is used to stop various services including but not limited to:  

  • excel 
  • firefox 
  • infopath 
  • isqlplussvc 
  • msaccess 
  • mspub 
  • mydesktopqos 
  • mydesktopservice 
  • notepad 
  • ocautoupds
  • ocomm 
  • ocssd 
  • onenote 
  • oracle 
  • outlook
  • powerpnt 
  • sqbcoreservice 
  • steam 
  • synctime 
  • tbirdconfig
  • thebat 
  • thunderbird 
  • visio 
  • winword 
  • wordpad 
  • xfssvccon 

T1490 – Inhibit System Recovery 

Various backups were modified by the threat actor using an already existing domain administrator account and subsequently, backups were then deleted. 

Analysis of the ransomware executable, min.exe, indicated that BlackCat uses the below Windows utilities to inhibit system recovery: 

Windows Utility Description 
wmic.exe Shadowcopy Deleteshadow_copy To delete shadow copies 
iisreset.exe /stop To stop all the running IIS services 
bcdedit /set recoveryenabled No To modify the boot configuration data 
vssadmin.exe Delete Shadows /all /quiet To delete all volume shadow copies 

T1491.001 – Defacement: Internal Defacement 

A desktop wallpaper, RECOVER-dujcsfd-FILES.txt.png, was dropped on some of the compromised Windows servers. 

Indicators of Compromise 

IOC Value Indicator Type Description  
7282dad776ad387028ae7b6d359b2d2d0b17af0e SHA1 C:\PerfLogs\min.exe (Ransomware executable) 
3E2272B916DA4BE3C120D17490423230AB62C174 SHA1 C:\PerfLogs\PsExec.exe 
DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA1 C:\PerfLogs\Veeam-Get-Creds.ps1 
C:\Users\\Downloads\MEGAsyncSetup64.exe File Path MEGA 
C:\Program Files (x86)\ScreenConnect Client C:\Program Files (x86)\Splashtop C:\Program Files\ATERA Networks File Path Remote Access Applications 
C:\Users\\Documents\ConnectWiseControl\Files\mimikatz.exe C:\Users\\Documents\ConnectWiseControl\Files\MEGAsyncSetup64.exe C:\Users\\Documents\ConnectWiseControl\Files\tsd-setup.exe File Path Files transferred using ScreenConnect.  

MITRE ATT CK® 

Tactic Technique ID Description  
Execution  Windows Management Instrumentation T1047 WMIC.exe is used to delete shadow copies.  
Execution  System Services: Service Execution T1569.002 Various services installed.  
Persistence Create Account: Local Account T1136.001 Creation of new accounts.  
Persistence Create or Modify System Process: Windows Service T1543.003 Total Software Deployment installed as a new service.  
Defense Evasion Indicator Removal: Clear Windows Event Logs T1070.001 Cleared logs. Ransomware payload uses wevtutil.exe cl. 
Defense Evasion  Indicator Removal: File Deletion T1070.004 The ransomware executable was deleted.  
Defense Evasion Modify Registry T1112 Adding a registry key to maintain persistence.   
Defense Evasion File and Directory Permissions Modification: Windows File and Directory Permissions Modification T1222.001 Using fsutil to redirect file system access to a different location once access to the network is gained.  
Credential Access OS Credential Dumping T1003 Using a PowerShell script to retrieve Veeam credentials.  
Credential Access OS Credential Dumping: LSASS Memory T1003.001 Mimikatz. 
Credential Access OS Credential Dumping: NTDS T1003.003 Impacket usage to enumerate the NTDS.dit. 
Discovery Remote System Discovery T1018 Ping usage. 
Discovery System Owner/User Discovery T1033 Using ScreenConnect to execute commands. 
Discovery System Information Discovery T1082 Obtain the UUID. 
Lateral Movement  Lateral Tool Transfer T1570 Execution PsExec to move laterally. 
Collection Data Staged: Local Data Staging T1074.001 Creation of multiple .zip files. 
Collection Archive Collected Data: Archive via Utility T1560.001 Observation of WinRAR. 
Command and Control Remote Access Software T1219 Presence of ScreenConnect, Atera and Splashtop 
Exfiltration  Data Staged: Local Data Staging T1074.001 Multiple .zip files within C:\PerfLogs. 
Exfiltration Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 Presence of MEGAsync.  
Impact  Data Encrypted for Impact T1486 Deployment of BlackCat ransomware.  
Impact Inhibit System Recovery T1490 Modification/deletion of backups.  Delete volume shadow copies. Stop running IIS services. Modify the boot configuration data. 
Impact Defacement: Internal Defacement T1491.001 RECOVER-dujcsfd-FILES.txt.png was dropped as desktop wallpaper. 

References 

[1] https://www.bleepingcomputer.com/news/security/new-donut-leaks-extortion-gang-linked-to-recent-ransomware-attacks/ 

[2] https://www.bleepingcomputer.com/news/security/donut-extortion-group-also-targets-victims-with-ransomware/ ;

[3] https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/ 

[4] https://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/ 

[5] https://twitter.com/MsftSecIntel/status/1692212191536066800 

[6] https://attack.mitre.org/software/S1068/  

[7] https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat  

[8] https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack 

[9] https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/ 

RIFT: Research and Intelligence Fusion Team

RIFT: Research and Intelligence Fusion Team

RIFT leverages our strategic analysis, data science, and threat hunting capabilities to create actionable threat intelligence, ranging from IoCs and detection capabilities to strategic reports on tomorrow’s threat landscape. Cyber security is an arms race where both attackers and defenders continually update and improve their tools and ways of working. To ensure that our managed services remain effective against the latest threats, NCC Group operates a Global Fusion Center with Fox-IT at its core. This multidisciplinary team converts our leading cyber threat intelligence into powerful detection strategies.