The attackers behind BlackCat ransomware have come up with an improved variant that prioritizes speed and stealth to bypass security guardrails and achieve their goals.
new version dubbed sphinx In a new analysis, IBM Security X-Force said the product, announced in February 2023, is packed with “numerous updated features that enhance the group’s efforts to evade detection.”
Product updates are first highlighted Created by vx-underground in April 2023. Trend Micro last month be familiar with A Linux version of Spynx “primarily focused on cryptographic routines”.
BlackCat (also known as ALPHV and Noberus) was the first Rust-language-based ransomware strain discovered in the wild. Active since November 2021, it has emerged as a formidable ransomware attacker, having hit over 350 targets as of May 2023.
Similar to other ransomware-as-a-service (RaaS) products, this group has deployed custom data exfiltration tools such as ExMatter to siphon sensitive data before encryption, and is known to operate a double extortion scheme. is known.
Initial access to a targeted network is typically obtained through a network of actors called Initial Access Brokers (IABs). The IAB uses off-the-shelf information stealer malware to harvest legitimate credentials.
BlackCat has also been observed to overlap with the now-defunct BlackMatter ransomware family, according to Cisco Talos and Kaspersky.
The findings provide a window into the ever-evolving cybercriminal ecosystem where threat actors are enhancing their tools and tactics not only to thwart detection and evade analysis, but also to increase the likelihood of successful breaches. To do.
Specifically, the Sphynx version of BlackCat incorporates junk code and encrypted strings, as well as reworked command line arguments passed to the binary.
Sphynx also has a built-in loader that decrypts the ransomware payload, performs network discovery activities at runtime to look for additional systems, removes volume shadow copies, encrypts files, and finally delivers a ransom note. drop.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
Despite law enforcement campaigns against cybercrime and ransomware groups, continued shifts in strategy prove BlackCat remains an active threat to organizations with “no signs of convergence.” .
 |
| Source: WithSecure |
Finnish cybersecurity firm WithSecure explained in a recent study how illicit proceeds associated with ransomware attacks have led to the emergence of “cybercrime specialization” and new supporting underground services.
“Many major ransomware groups operate a service provider or RaaS model, providing tools and expertise to affiliates in return for a cut in profits,” the company said.
“These interests will facilitate the rapid development of the service industry, providing all the tools and services an emerging threat group may need, and thanks to cryptocurrencies and dark web routing services, it will be easier for them to get involved. Different groups can now buy and sell anonymously’ services and access their benefits. “
