Another significant development in the evolution of ransomware is the emergence of the ransomware as a service (RaaS) business model. This model allows threat actors to offer ready-to-use ransomware software and tool kits to individuals who lack the technical skills to develop their own. This service model has several implications. Firstly, it enables broader participation in ransomware attacks as anyone can access and use the ransomware software. Secondly, it increases the frequency of attacks, amplifying the overall threat of ransomware.
BlackCat and Black Basta were the most frequently detected variants of ransomware worldwide in the second quarter of 2023, followed by Royal and LockBit 3.0.1 The notorious BlackCat ransomware group has capitalized on the aforementioned trends, targeting high-profile companies with considerable success.
Sophisticated and customizable attacks
BlackCat — also known as ALPHV — is one of the first major ransomware families to be written in Rust, with the ability to target systems on multiple operating systems beyond Windows, such as Linux and VMware ESXi.
The BlackCat ransomware group operates on the RaaS model, taking a percentage of ransom payments. It employs a triple extortion tactic — which includes data encryption, the threat of data publication and possible distributed denial-of-service attacks — to coerce victims for payment.
By leveraging Rust’s capabilities, BlackCat ransomware facilitates sophisticated, customizable attacks across multiple platforms, posing significant challenges for analyses in sandbox environments. It uses an access token to decode the ransomware’s configuration. Once the correct token is provided, the ransomware decrypts a runtime configuration file dictating its behavior, including encryption methods, credentials and processes to block. If it’s not initially granted administrative permissions, the ransomware exploits Windows User Account Control to gain these privileges. Once these are secured, the ransomware creates child processes to perform various operations. These include deleting volume shadow copies, modifying registry keys and clearing event logs while trying to spread by logging into other device accounts or mounting hidden partitions.