Unveiling the Dark Side: A Deep Dive into Active Ransomware Families 

Not so lucky: BlackCat is back! 

Authors: Alex Jessop @ThisIsFineChief , Molly Dewis 

While the main trend in the cyber threat landscape in recent months has been MoveIt and Cl0p, NCC Groups’ Cyber Incident Response Team have also been handling multiple different ransomware groups over the same period.  

In the ever-evolving cybersecurity landscape, one consistent trend witnessed in recent years is the unsettling rise in ransomware attacks. These nefarious acts of digital extortion have left countless victims scrambling to safeguard their data, resources, and even their livelihoods. To counter this threat, every person in the cyber security theatre has a responsibility to shine light on current threat actor Tactics, Techniques and Procedures (TTP’S) to assist in improving defences and the overall threat landscape. 

 This series will  focus on TTP’s deployed by four ransomware families recently observed during NCC Group’s incident response engagements. The ransomware families that will be explored are: 

1. BlackCat – Also known as ALPHV, first observed in 2021, is a Ransomware-as-a-Service (Raas) often using the double extortion method for monetary gain.  

2. Donut –The D0nut extortion group was first reported in August 2022 [1] for breaching networks and demanding ransoms in return for not leaking stolen data. A few months later, reports of the group utilizing encryption as well as data exfiltration were released with speculation that the ransomware deployed by the group was linked to HelloXD ransomware [2]. There is also suspected links between D0nut affiliates and both Hive and Ragnar Locker ransomware operations.  

3. Medusa – Not to be confused with MedusaLocker, Medusa was first observed in 2021, is a Ransomware-as-a-Service (RaaS) often using the double extortion method for monetary gain. In 2023 the groups’ activity increased with the launch of the ‘Medusa Blog’. This platform serves as a tool for leaking data belonging to victims. 

4. NoEscape – At the end of May 2023, a newly emerged Ransomware-as-a-Service (RaaS) was observed on a cybercrime forum named NoEscape. 

Join us as we delve into the inner workings of these ransomware families, gaining a  better understanding of their motivations, attack vectors and TTPS. 

To begin our deep dive we will start with…  

Not so lucky: BlackCat is back! 

Summary

This first post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving BlackCat Ransomware.  

Below provides a summary of findings which are presented in this blog post: 

• Installation of various services. 
• Creation of new accounts. 
• Modification and deletion activity.  
• Credential dumping activity. 
• Use of remote access applications. 
• Data staging. 
• Presence of MEGAsync.  
• Analysis of the ransomware executable.

BlackCat

BlackCat ransomware, also known as ALPHV, is a Rust-based variant that was first seen in November 2021. BlackCat has been provided as a ransomware-as-a-service (RaaS) model and is an example of a double-extortion ransomware where data once encrypted, is exfiltrated and the victim is threatened to have their data published if the ransom is not paid [1]. The group behind BlackCat ransomware can be characterised as financially motivated. BlackCat ransomware targets no specific industry and has the capability to encrypt both Windows and Linux hosts. BlackCat ransomware uses AES to encrypt files or ChaCha20 if AES is not supported due to the hardware of the system [4].  

Incident Overview  

In this incident, the initial access vector was unknown. Prior to the execution of the ransomware, a wide variety of activity was observed such as the installation of new services, creation of new accounts and data staging. Data was believed to have been exfiltrated due to the techniques employed, however, no data was published to the leak site.  

Mitre TTPs  

Execution 

The threat actor installed various new services: 

• Total Software Deployment Audit Service 
• HWiNFO Kernel Driver 
• ScreenConnect Client 
• PSEXESVC 
• AteraAgent 
• WinRing0_1_2_0 
• Splashtop® Remote Service

Additionally, BlackCat ransomware uses wmic.exe Shadowcopy Deleteshadow_copy to delete shadow copies.  

Persistence 

Maintaining access to the victim’s environment was achieved by the threat actor creating a new Administrator account and a new default admin user, azure.  

Additionally, a Total Software Deployment Audit Service Windows service was installed (see below); likely to maintain persistence on the affected host. Total Software Deployment supports group deployment, maintenance, and uninstallation of software packages. BlackCat ransomware is known to use Total Software Deployment [3]. 

{“EventData”:{“Data”:[{“@Name”:”ServiceName”,”#text”:”Total Software Deployment Audit Service”},{“@Name”:”ImagePath”,”#text”:”\”%SystemRoot%\\TNIWINAGENT\\tniwinagent.exe\” /service /ip: /login:\”current\” /driver:2″},{“@Name”:”ServiceType”,”#text”:”user mode service”},{“@Name”:”StartType”,”#text”:”demand start”},{“@Name”:”AccountName”,”#text”:”LocalSystem”}]}} 

Defence Evasion 

The threat actor utilised various techniques to hide their tracks and evade detection: 

• Using an already existing administrator account to clear the following log files: 
  • System 
  • Windows PowerShell 
  • WitnessClientAdmin 
• The ransomware payload, min.exe, used wevtutil.exe cl. 
• Deleting the ransomware executable from C:\Users\azure\Desktop\min.exe. 
• The ransomware payload, min.exe, had the capability to add this registry key to maintain persistence: 
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters.
• The ransomware payload, min.exe, using fsutil behavior set SymlinkEvaluation R2R:1 to redirect file system access to a different location once access to the network is gained.

Credential Access 

Various techniques to gather credentials were employed by the threat actor.  

Due to the presence of Veeam in the victim’s environment, C:\PerfLogs\Veeam-Get-Creds.ps1 below was leveraged to recover passwords used by Veeam to connect to remote hosts.  

# About:  The script is designed to recover passwords used by Veeam to connect #         to remote hosts vSphere, Hyper-V, etc. The script is intended for  #         demonstration and academic purposes. Use with permission from the  #         system owner. # # Author: Konstantin Burov. # # Usage:  Run as administrator (elevated) in PowerShell on a host in a Veeam  #         server.  Add-Type -assembly System.Security  #Searching for connection parameters in the registry try {  $VeaamRegPath = "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\"  $SqlDatabaseName = (Get-ItemProperty -Path $VeaamRegPath -ErrorAction Stop).SqlDatabaseName   $SqlInstanceName = (Get-ItemProperty -Path $VeaamRegPath -ErrorAction Stop).SqlInstanceName  $SqlServerName = (Get-ItemProperty -Path $VeaamRegPath -ErrorAction Stop).SqlServerName } catch {  echo "Can't find Veeam on localhost, try running as Administrator"  exit -1 }  "" "Found Veeam DB on " + $SqlServerName + "\" + $SqlInstanceName + "@ 

{  $EnryptedPWD = [Convert]::FromBase64String($_.password)  $ClearPWD = [System.Security.Cryptography.ProtectedData]::Unprotect( $EnryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine )  $enc = [system.text.encoding]::Default  $_.password = $enc.GetString($ClearPWD) } 

Additionally, the threat actor used ScreenConnect to transfer Mimikatz to a compromised host (see below).  

{"EventData":{"Data":"Transferred files with action 'Transfer':\nmimikatz.exe\n\nVersion: 23.4.5.8571\nExecutable Path: C:\\Program Files (x86)\\ScreenConnect Client (7d2615d1049a2b63)\\ScreenConnect.ClientService.exe\n","Binary":""}} 

Events like the above and any others related to ScreenConnect activity can be found in Application.evtx.  

Subsequently, evidence of a file named mimikatz.log was observed. It is highly likely Mimikatz was leveraged by the threat actor to harvest credentials.  

Finally, it is likely the threat actor enumerated C:\Windows\NTDS\ntds.dit as the following files were created: 1.txt.ntds, 1.txt.ntds.kerberos, 1.txt.ntds.cleartext. These files are from using Impacket [5].  

Discovery 

The threat actor used ScreenConnect to execute commands like ping ..local. In some instances, the commands executed were not specified (see below) but a length of 33 can mean commands have been manually executed.  

{"EventData":{"Data":"Executed command of length: 33\n\nVersion: 23.4.5.8571\nExecutable Path: C:\\Program Files (x86)\\ScreenConnect Client (1b70ca7b560918ec)\\ScreenConnect.ClientService.exe\n","Binary":""}} 

At the same time on another host, net.exe and net1.exe were executed. As net is often used by threat actors to gather system and network information, it is possible ScreenConnect was used to gather this type of information.   

Analysis of the ransomware executable min.exe found that the UUID was obtained using: wmic csproduct get UUID. 

Lateral Movement 

The threat actor executed PsExec.exe. BlackCat has been known to use PsExec to replicate itself across connected servers [6].  

Collection 

Data staging was conducted by the threat actor as multiple .zip files were created that are believed to have been exfiltrated.  

Additionally, one of the accounts compromised by the threat actor executed WinRAR. Across the time period of interest, folders on multiple drives were modified; the threat actor potentially accessed these folders.  

Command and Control 

Remote access applications, particularly ScreenConnect, were heavily utilised by the threat actor. ScreenConnect was used to start remote sessions, execute commands and transfer files. The threat actor transferred the following files: mimikatz.exe, MEGAsyncSetup64.exe, tsd-setup.exe, 121.msi* and 212.msi*.  

*Note: Could not be recovered for analysis.   

Atera and Splashtop were also observed: 

• c:\program files (x86)\atera networks\ateraagent\ateraagent.exe. 
• Services: AteraAgent and WinRing0_1_2_0  
• C:\Windows\Temp\SplashtopStreamer.exe

Atera is used for remote monitoring and management and the Atera Agent is required for hosts to be monitored. It is likely Atera was used for persistence.  

Splashtop allows hosts to be remotely accessed and was likely used for persistence especially as the Splashtop® Remote Service was observed going online. Splashtop events are also located in Application.evtx.  

Exfiltration 

Data staging was observed as a technique used by the threat actor. Multiple .zip files were created at the same time within C:\PerfLogs. It is believed these .zip files were exfiltrated.  

For one of the compromised accounts, WinRAR was observed C:\Users\\Desktop\winrar-x64-621.exe. It is possible this utility was used for data exfiltration. 

MEGAsync is a legitimate cloud storage solution, however, it is often used by threat actors for exfiltrating data. Due to its presence in the victim’s environment, it is highly likely the threat actor used MEGA to exfiltrate data.  

MEGA was observed to once reside in the following locations: 

• C:\Users\\AppData\Local\MEGAsync\MEGAsync.exe 
• C:\Users\\Documents\ConnectWiseControl\Files\MEGAsyncSetup64.exe 
• C:\Users\\Downloads\MEGAsyncSetup64.exe

Additionally, MEGA-related strings were recovered from the encrypted VMDKs: 

• MEGAsyncSetup64.exe 
• MEGAsync.exe 
• MEGA Website.lnk 
• MEGAsync.cfg.bak 
• MEGAsync.log 
• MEGAsync Update Task [SID] 
• MEGAsync.lnk

Impact 

BlackCat ransomware was deployed to the affected domain in the form of min.exe. Data was encrypted and .dujcsfd was appended to files. A ransom note was dropped onto the compromised Windows servers.  

min.exe 

PsExec was highly likely used to distribute the ransomware across the affected domain as BlackCat has a built-in PsExec module [7].  

Additionally, min.exe had the following command line options: 

• access-token: Access token. 
• paths: Only process files inside defined paths 
• no-net: Do not discover network shares on Windows. 
• no-prop : Do not self propagate (worm) on Windows. 
• no-wall: Do not update desktop wallpaper on Windows. 
• no-impers: Do not spawn impersonated processes on Windows. 
• no-vm-kill: Do not stop VMs on ESXI. 
• no-vm-snapshot-kill: Do not wipe VMs snapshots on EXSI. 
• no-vm-kill-names: Do not stop defined VMs on EXSI. 
• sleep-restart: Sleep for duration in seconds after successful run and then restart. 
• sleep-restart-duration: Keep soft persistence alive for duration in second. (24 hours by default). 
• sleep-restart-until: Keep soft persistence alive until defined UTC time in millis. (Defaults to 24 hours since launch). 
• no-prop-servers: Do not propagate to defined servers. 
• prop-file: Propagate specified file. 
• drop-drag-and-drop-target: Drop drag and drop target batch file. 
• drag-and-drop: Invoked with drag and drop. 
• log-file: Enable logging to specified file. 
• verbose: Log to console. 
• extra-verbose: Log more to console.  
• ui: Show user interface. 
• safeboot: Reboot in Safe Mode before running on Windows. 
• safeboot-network: Reboot in Safe Mode with Networking before running on Windows. 
• safeboot-instance: Run as safeboot instance on Windows. 
• propagated: Run as propagated process. 
• child: Run as child process.  
• bypass: Run as elevated process.  

The configuration of min.exe contained 23 elements [8]: 

• config_id: Configuration ID 
• extension: File extension appended to files.  
• public_key: RSA public key. 
• note_file_name: The file name of the ransom note.  
• note_full_text: The ransom note in full.  
• note_short_text: A shorter version of the ransom note.  
• Credentials: Credentials used by BlackCat. 
• default_file_mode: File encryption mode.  
• default_file_cipher: File encryption cipher.  
• kill_services: The services to terminate.  
• kill_processes: The processes to terminate.  
• exclude_directory_names: Does not encrypt the defined directories.   
• exclude_file_names: Does not encrypt the defined files. 
• exclude_file_extensions: Does not encrypt the defined extensions.  
• exclude_file_path_wildcard: Does not encrypt the defined file paths.  
• enable_network_discovery: Enable network discovery. 
• enable_self_propagation: Enable self propagation.  
• enable_set_wallpaper: Enable the desktop wallpaper to be changed.
• enable_esxi_vm_kill: Enable VM termination on EXSI. 
• enable_esxi_vm_snapshot_kill: Enable snapshot deletion on ESXI. 
• strict_include_paths: Hardcoded file paths to encrypt. 
• esxi_vm_kill_exclude: VMs to cluse on EXSI hosts.  
• sleep_restart: Sleep time before restarting.

Some of the files not encrypted include:  

• $windows.~bt 
• windows 
• windows.old 
• system volume information 
• boot 

The files below are some of the files included in the file name exclusion list: 

• ntuser.dat 
• autorun.inf 
• boot.ini 
• desktop.ini 

Below are some of the defined extensions that are not encrypted: 

• exe 
• drv 
• msc 
• dll 
• lock 
• sys 
• msu 
• lnk

T1489 – Service Stop [9] 

min.exe uses kill_processes to stop the following processes:  

• memtas 
• veeam 
• svc$ 
• backup 
• sql 
• vss 
• msexchange 

Additionally, kill_services is used to stop various services including but not limited to:  

• excel 
• firefox 
• infopath 
• isqlplussvc 
• msaccess 
• mspub 
• mydesktopqos 
• mydesktopservice 
• notepad 
• ocautoupds
• ocomm 
• ocssd 
• onenote 
• oracle 
• outlook
• powerpnt 
• sqbcoreservice 
• steam 
• synctime 
• tbirdconfig
• thebat 
• thunderbird 
• visio 
• winword 
• wordpad 
• xfssvccon 

T1490 – Inhibit System Recovery 

Various backups were modified by the threat actor using an already existing domain administrator account and subsequently, backups were then deleted. 

Analysis of the ransomware executable, min.exe, indicated that BlackCat uses the below Windows utilities to inhibit system recovery: 

T1491.001 – Defacement: Internal Defacement 

A desktop wallpaper, RECOVER-dujcsfd-FILES.txt.png, was dropped on some of the compromised Windows servers. 

Indicators of Compromise 

MITRE ATT CK® 

References 

[1] https://www.bleepingcomputer.com/news/security/new-donut-leaks-extortion-gang-linked-to-recent-ransomware-attacks/ 

[2] https://www.bleepingcomputer.com/news/security/donut-extortion-group-also-targets-victims-with-ransomware/ ;

[3] https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/ 

[4] https://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/ 

[5] https://twitter.com/MsftSecIntel/status/1692212191536066800 

[6] https://attack.mitre.org/software/S1068/  

[7] https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat  

[8] https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack 

[9] https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/