Microsoft has uncovered a new version of the Blackcat ransomware that incorporates the Impacket networking framework and the Remcom hacking tool. These additions enable the ransomware to spread laterally within a compromised network. The BlackCat operators announced the completion of testing for the BlackCat/ALPHV 2.0: Sphynx version, indicating that the code and encryption have been completely rewritten. The update prioritized optimizing detection by antivirus and endpoint detection and response (AV/EDR) systems. IBM Security X-Force conducted an in-depth analysis of the new BlackCat encryptor and warned that it had evolved into a toolkit.
Microsoft’s Threat Intelligence team confirmed that the new BlackCat version utilizes the Impacket framework to facilitate lateral movement in targeted environments. Impacket is an open-source communication framework that is commonly employed as a post-exploitation toolkit by penetration testers, red teamers, and threat actors. It allows for credential duplication, remote service execution, NTLM relay attacks, and more. The BlackCat operation employs the Impacket framework for credential duplication and remote service execution to distribute the encryptor across an entire network. Additionally, the encryptor incorporates the Remcom hacking tool, which is a small remote shell for executing commands on network devices.
The BlackCat ransomware gang, also known as ALPHV, emerged in November 2021 and is believed to be a rebrand of the DarkSide/BlackMatter gang responsible for the Colonial Pipeline attack. BlackCat is considered one of the most advanced and top-tier ransomware operations, constantly refining its tactics. In the past, the group created clearweb websites to leak data and developed a data leak API for easier dissemination of stolen data. The evolution of the BlackCat encryptor into a post-exploitation toolkit enables faster deployment of file encryption across networks, making it more challenging for defenders to detect and mitigate ransomware attacks.
The post Microsoft Discovers New Version of BlackCat Ransomware appeared first on TS2 SPACE.
