Rust-Coded Malware Key Factor in BlackCat's Meteoric RiseResearchers: Coding Malware in Rust Language Improves Evasion, Efficacy
In just a month, the BlackCat cybercrime group has carried out high-impact ransomware attacks on international organizations and risen to seventh place in the ranking of global ransomware groups by Unit 42, the threat intelligence arm of security firm Palo Alto Networks. The ranking is based on the number of victims listed on BlackCat's data leak site.
The BlackCat ransomware group, also known as Alphv, first came into the limelight in mid-November 2021, according to Amanda Tanner, Alex Hinchliffe and Doel Santos, researchers from Unit 42.
The Unit 42 researchers say that the BlackCat ransomware group targeted organizations in the U.S., Europe, and the Philippines, in addition to other locations. Its targets included pharmaceutical companies and firms engaged in construction and engineering, retail, transportation, insurance, telecommunication and auto component manufacturing.
A report by security company Sentinel Labs says that BlackCat has also been targeting companies in Australia and India, demanding ransoms of $400,000 to $3,000,000 in Bitcoin or Monero. The findings from Unit 42 and Sentinel Labs do not specify the names of BlackCat Group's targets.
Researchers from the Photon Research Team - the threat intel wing of cybersecurity firm Digital Shadows - tell Information Security Media Group: "BlackCat's solicitation for unusually high ransom payments may appear excessive, but history has shown that even high ransom asks can be renegotiated by victims. Even if a compromise is reached, ransomware operators can still walk away with a pretty hefty payment."
Some of BlackCat's success has been attributed to its offering between 80% and 90% of the ransom amount to its affiliates. The group carries out distributed denial-of-service attacks and leverages the double-extortion technique - exfiltrating its victims' data before deploying the ransomware and threatening to release the data if the ransom is not paid.
The Unit 42 researchers say that BlackCat interviews and vets affiliates before accepting them into the group. Following confirmation, affiliates are given access to a Tor-based control panel that contains information on deploying and operating the ransomware and lists troubleshooting steps to make exploits more successful.
A report by data security firm Varonis says that the BlackCat ransomware group is actively recruiting former REvil, BlackMatter and DarkSide operators. These notorious ransomware groups have either been tracked and persecuted or dismantled over the last two to three years.
Alex Ondrick, director of security operations at Georgia-based cybersecurity company BreachQuest, tells ISMG that the recruitment spree is a common trend that has accelerated since the onset of the COVID-19 pandemic. "The uptick in ransomware-as-a-service is consistent with an increasingly-decentralized ransomware operating model," he says.
Photon researchers say that the BlackCat group's amplified search for ransomware affiliates is aligned with current trends. "It signals that the group has funding, and they may be seeking to reap profits quickly," they say.
While research reports from various threat intelligence companies do not explicitly name the country of origin of BlackCat's operators, the reports say that the control panel and instructions to affiliates are written in Russian.
According to findings by Indian cybersecurity company CloudSEK, BlackCat or Alphv was a former member of the REvil group. A member of the LockBit ransomware group, the report says, has claimed BlackCat is a rebranded version of the BlackMatter or DarkSide ransomware group.
According to CloudSEK, BlackCat, on an English-speaking cybercrime forum, says it is looking for affiliates in the U.S., Canada, the U.K., Ukraine, Russia, Switzerland and China.
Rust Adds Teeth to BlackCat's Attacks
According to some researchers, one of the key factors responsible for BlackCat's success and rapid growth is reported to be usage of the Rust programming language in its malware code. Security researchers from cybersecurity firm Recorded Future say that BlackCat is the first professional ransomware group to use Rust. The first ransomware strain coded in Rust as a proof-of-concept was released on GitHub in 2020.
In May 2021, the Buer Dropper malware was updated using a code written in Rust. At the time, researchers from cybersecurity firm Proofpoint told ISMG that the new code, named RustyBuer, made the modified malware version harder to detect.
Photon researchers tell ISMG that ransomware is most commonly coded in C, C++ or Go. But they add that Rust has many advantages: "It features good performance but more crucially, secure memory management, which reduces the probability that the malware will crash before it can be executed."
Several other languages use a garbage collector to clean unused memory spaces automatically, but that trades off some performance, the researchers say.
"The Noberus ransomware was also found to be using Rust, and some ransomware operators on dark web forums express an appreciation for this programming language," they add.
The Photon Research Team predicts that future lockers will likely be written in Rust.
The Unit 42 researchers also make note of Rust's prowess as a malware coding language, saying: "BlackCat is positioned to pivot to individualized, customized attacks due to the numerous options available when coding in Rust."
Unit 42's report says that the author of BlackCat ransomware leveraged Rust because of the efficient algorithm that drives the encryption capability of the ransomware. "Because of its efficiency and adaptability, BlackCat has been seen targeting both Windows and Linux systems," they add.
BlackCat's Evasion Capabilities
Varonis' researchers say that BlackCat's initial intrusion works by exploiting common vulnerabilities in a company's network infrastructure devices or VPN gateways, leaked credentials and exposed Remote Desktop Protocol hosts.
After the initial intrusion, reconnaissance is carried out, followed by lateral movement. This is when sensitive and valuable data is identified for exfiltration and subsequent encryption.
BlackCat's advanced detection evasion mechanisms involve the usage of Advanced Encryption Standards and built-in privilege escalation capabilities.
Photon researchers tell ISMG that there are several detection evasion mechanisms in play: The RaaS model, by design, offloads notable amounts of risk from the main operators to the affiliates.
The option to be paid in Monero in addition to Bitcoin indicates a heightened request for anonymity, according to the researchers, as Bitcoin can eventually be tracked in the ledger.
Ondrik of BreachQuest says that by excluding key system and application folders, ransomware is more likely to evade older signature-based detections, and this is especially applicable to unpatched and end-of-life systems. "Excluding key system and application folders is a quick way to avoid triggering security detections for editing and modifying some of the most commonly secured files and folders," he adds.