Skip to content

S1068 BlackCat

BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, BlackCat has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.321

Item Value
ID S1068
Associated Names ALPHV, Noberus
Type MALWARE
Version 1.0
Created 28 February 2023
Last Modified 17 April 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
ALPHV 31
Noberus 1

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control BlackCat can bypass UAC to escalate privileges.3
enterprise T1134 Access Token Manipulation BlackCat has the ability modify access tokens.32
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account BlackCat can utilize net use commands to identify domain users.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell BlackCat can execute commands on a compromised network with the use of cmd.exe.3
enterprise T1486 Data Encrypted for Impact BlackCat has the ability to encrypt Windows devices, Linux devices, and VMWare instances.3
enterprise T1491 Defacement -
enterprise T1491.001 Internal Defacement BlackCat can change the desktop wallpaper on compromised hosts.32
enterprise T1561 Disk Wipe -
enterprise T1561.001 Disk Content Wipe BlackCat has the ability to wipe VM snapshots on compromised networks.32
enterprise T1083 File and Directory Discovery BlackCat can enumerate files for encryption.3
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.001 Windows File and Directory Permissions Modification BlackCat can use Windows commands such as fsutil behavior set SymLinkEvaluation R2L:1 to redirect file system access to a different location after gaining access into compromised networks.3
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs BlackCat can clear Windows event logs using wevtutil.exe.3
enterprise T1490 Inhibit System Recovery BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.3
enterprise T1570 Lateral Tool Transfer BlackCat can replicate itself across connected servers via psexec.3
enterprise T1112 Modify Registry BlackCat has the ability to add the following registry key on compromised networks to maintain persistence: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Paramenters3
enterprise T1135 Network Share Discovery BlackCat has the ability to discover network shares on compromised networks.32
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups BlackCat can determine if a user on a compromised host has domain admin privileges.3
enterprise T1018 Remote System Discovery BlackCat can broadcasts NetBIOS Name Service (NBNC) messages to search for servers connected to compromised networks.3
enterprise T1489 Service Stop BlackCat has the ability to stop VM services on compromised networks.32
enterprise T1082 System Information Discovery BlackCat can obtain the computer name and UUID, and enumerate local drives.3
enterprise T1033 System Owner/User Discovery BlackCat can utilize net use commands to discover the user name on a compromised host.3
enterprise T1047 Windows Management Instrumentation BlackCat can use wmic.exe to delete shadow copies on compromised networks.3

References

  1. Australian Cyber Security Centre. (2022, April 14). 2022-004: ACSC Ransomware Profile - ALPHV (aka BlackCat). Retrieved December 20, 2022. 

  2. Brandt, Andrew. (2022, July 14). BlackCat ransomware attacks not merely a byproduct of bad luck. Retrieved December 20, 2022. 

  3. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.