Currently viewing ATT&CK v15.1 which was live between April 23, 2024 and October 30, 2024. Learn more about the versioning system or see the live site.
  1. Home
  2. Software
  3. BlackCat

BlackCat

BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, BlackCat has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.[1][2][3]

ID: S1068
Associated Software: ALPHV, Noberus
Type: MALWARE
Platforms: Linux, Windows
Contributors: Hiroki Nagahama, NEC Corporation; Josh Arenas, Trustwave Spiderlabs; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India
Version: 1.0
Created: 28 February 2023
Last Modified: 15 June 2023

Associated Software Descriptions

Name Description
ALPHV

[1][3]
Noberus

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

BlackCat can bypass UAC to escalate privileges.[1]

Enterprise T1134 Access Token Manipulation

BlackCat has the ability modify access tokens.[1][2]
Enterprise T1087 .002 Account Discovery: Domain Account

BlackCat can utilize net use commands to identify domain users.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

BlackCat can execute commands on a compromised network with the use of cmd.exe.[1]
Enterprise T1486 Data Encrypted for Impact

BlackCat has the ability to encrypt Windows devices, Linux devices, and VMWare instances.[1]
Enterprise T1491 .001 Defacement: Internal Defacement

BlackCat can change the desktop wallpaper on compromised hosts.[1][2]
Enterprise T1561 .001 Disk Wipe: Disk Content Wipe

BlackCat has the ability to wipe VM snapshots on compromised networks.[1][2]
Enterprise T1083 File and Directory Discovery

BlackCat can enumerate files for encryption.[1]
Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

BlackCat can use Windows commands such as fsutil behavior set SymLinkEvaluation R2L:1 to redirect file system access to a different location after gaining access into compromised networks.[1]
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

BlackCat can clear Windows event logs using wevtutil.exe.[1]
Enterprise T1490 Inhibit System Recovery

BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.[1]
Enterprise T1570 Lateral Tool Transfer

BlackCat can replicate itself across connected servers via psexec.[1]
Enterprise T1112 Modify Registry

BlackCat has the ability to add the following registry key on compromised networks to maintain persistence: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Paramenters[1]
Enterprise T1135 Network Share Discovery

BlackCat has the ability to discover network shares on compromised networks.[1][2]
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

BlackCat can determine if a user on a compromised host has domain admin privileges.[1]
Enterprise T1018 Remote System Discovery

BlackCat can broadcasts NetBIOS Name Service (NBNC) messages to search for servers connected to compromised networks.[1]
Enterprise T1489 Service Stop

BlackCat has the ability to stop VM services on compromised networks.[1][2]
Enterprise T1082 System Information Discovery

BlackCat can obtain the computer name and UUID, and enumerate local drives.[1]
Enterprise T1033 System Owner/User Discovery

BlackCat can utilize net use commands to discover the user name on a compromised host.[1]
Enterprise T1047 Windows Management Instrumentation

BlackCat can use wmic.exe to delete shadow copies on compromised networks.[1]

Groups That Use This Software

ID Name References
G1015 Scattered Spider

Scattered Spider has deployed BlackCat ransomware to victim environments for financial gain.[4][5]

References

  1. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
  2. Brandt, Andrew. (2022, July 14). BlackCat ransomware attacks not merely a byproduct of bad luck. Retrieved December 20, 2022.
  3. Australian Cyber Security Centre. (2022, April 14). 2022-004: ACSC Ransomware Profile - ALPHV (aka BlackCat). Retrieved December 20, 2022.
  1. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  2. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.