www.sentinelone.com
Open in
urlscan Pro
172.67.74.101
Public Scan
Submitted URL: https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/'
Effective URL: https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
Submission: On December 09 via api from IN — Scanned from DE
Effective URL: https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
Submission: On December 09 via api from IN — Scanned from DE
Form analysis 6 forms found in the DOM
GET https://www.sentinelone.com
<form autocomplete="off" method="get" action="https://www.sentinelone.com">
<fieldset>
<input type="search" name="s" placeholder="Search ..." value="">
<button class="search" type="submit">
<img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>"
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg" alt="Search Icon White" style="" width="24" height="24">
<img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>"
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg" alt="Navigation Close" style="" width="18" height="16">
</button>
</fieldset>
</form>GET https://www.sentinelone.com/
<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
<label>
<span class="screen-reader-text">Search ...</span>
<input type="search" class="search-field" placeholder="Search ..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-notice/">Privacy Notice</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties. This site is protected by reCAPTCHA and the <a href="https://policies.google.com/privacy" target="_blank">Google Privacy Policy</a> and <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
<input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form id="mktoForm_2673" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-notice/">Privacy Notice</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties. This site is protected by reCAPTCHA and the <a href="https://policies.google.com/privacy" target="_blank">Google Privacy Policy</a> and <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
<input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2673"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
*
*
ABOUT
CVE DATABASE
CONTACT
VISIT SENTINELONE.COM
Crimeware
BLACKCAT RANSOMWARE | HIGHLY-CONFIGURABLE, RUST-DRIVEN RAAS ON THE PROWL FOR
VICTIMS
Jim Walter / January 18, 2022
BlackCat (aka AlphaVM, AlphaV) is a newly established RaaS (Ransomware as a
Service) with payloads written in Rust. While BlackCat is not the first
ransomware written in the Rust language, it joins a small (yet growing) sliver
of the malware landscape making use of this popular cross-platform language.
First appearing in late November, BlackCat has reportedly been attacking targets
in multiple countries, including Australia, India and the U.S, and demanding
ransoms in the region of $400,000 to $3,000,000 in Bitcoin or Monero.
BLACKCAT RANSOMWARE OVERVIEW
In order to attract affiliates, the authors behind BlackCat have been heavily
marketing their services in well-known underground forums.
BlackCat operators maintain a victim blog as is standard these days. The blog
hosts company names and any data leaked in the event that the victims do not
agree to cooperate.
Current data indicates primary delivery of BlackCat is via 3rd party
framework/toolset (e.g., Cobalt Strike) or via exposed (and vulnerable)
applications. BlackCat currently supports both Windows and Linux operating
systems.
BLACKCAT CONFIGURATION OPTIONS
Samples analyzed (to date ) require an “access token” to be supplied as a
parameter upon execution. This is similar to threats like Egregor, and is often
used as an anti-analysis tactic. This ‘feature’ exists in both the Windows and
Linux versions of BlackCat.
However, the BlackCat samples we analyzed could be launched with any string
supplied as the access token. For example:
Malware.exe -v --access-token 12345
The ransomware supports a visible command set, which can be obtained via the -h
or --help parameters.
BlackCat command line options
As seen above, the executable payloads support a variety of commands, many of
which are VMware-centric.
--no-prop Do not self propagate(worm) on Windows
--no-prop-servers <NO_PROP_SERVERS> Do not propagate to defined servers
--no-vm-kill Do not stop VMs on ESXi
--no-vm-snapshot-kill Do not wipe VMs snapshots on ESXi
--no-wall Do not update desktop wallpaper on Windows
In verbose mode (-v) the following output can be observed upon launch of the
BlackCat payloads:
BlackCat ransomware run in verbose mode
BLACKCAT EXECUTION AND ENCRYPTION BEHAVIOUR
Immediately upon launch, the malware will attempt to validate the existence of
the previously mentioned access-token, followed by querying for the system UUID
(wmic).
Those pieces of data are concatenated together into what becomes the ‘Access
key’ portion of their recovery URL displayed in the ransom note. In addition, on
Windows devices, BlackCat attempts to delete VSS (Volume Shadow Copies) as well
as enumerate any accessible drives to search for and encrypt eligible files.
Other configuration parameters are evaluated before proceeding to execute
multiple privilege escalation methods, based on the OS identified by wmic
earlier. These methods are visible at the time of execution and include the use
of the Com Elevation Moniker.
It is at this point that BlackCat will attempt to terminate any processes or
services listed within the configuration such as any processes which may inhibit
the encryption process. There are also specific files and directories that are
excluded from encryption. Much of this is configurable at the time of building
the ransomware payloads.
The targeted processes and services are noted in the kill_processes and
kill_services sections respectively. File and folder exclusions are handled in
the exclude directory_names section.
To further illustrate, the following were extracted from sample
d65a131fb2bd6d80d69fe7415dc1d1fd89290394/
74464797c5d2df81db2e06f86497b2127fda6766956f1b67b0dcea9570d8b683:
Kill_Processes
backup memtas mepocs msexchange sql svc$ veeam vss
Kill_Services
agntsvc dbeng50 dbsnmp encsvc excel firefox infopath isqlplussvc msaccess mspub
mydesktopqos mydesktopservice notepad ocautoupds ocomm ocssd onenote oracle
outlook powerpnt sqbcoreservice sql steam synctime tbirdconfig thebat
thunderbird visio winword wordpad xfssvccon
Exclude_Directory_Names
$recycle.bin $windows.~bt $windows.~ws 386 adv all users ani appdata application
data autorun.inf bat bin boot boot.ini bootfont.bin bootsect.bak cab cmd com
config.msi cpl cur default deskthemepack diagcab diagcfg diagpkg dll drv
exclude_file_extensions:[themepack exclude_file_names:[desktop.ini exe google
hlp hta icl icns ico iconcache.db ics idx intel key ldf lnk lock mod mozilla mpa
msc msi msocache msp msstyles msu] nls nomedia ntldr ntuser.dat ntuser.dat.log]
ntuser.ini ocx pdb perflogs prf program files program files (x86) programdata
ps1 public rom rtp scr shs spl sys system volume information theme thumbs.db tor
browser windows windows.old] wpx
BlackCat also spawns a number of its own processes, with syntax (for Windows) as
follows:
WMIC.exe (CLI interpreter) csproduct get UUID
cmd.exe (CLI interpreter) /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
cmd.exe (CLI interpreter) /c "wmic csproduct get UUID"
cmd.exe (fsutil.exe) /c "fsutil behavior set SymlinkEvaluation R2L:1"
fsutil.exe behavior set SymlinkEvaluation R2L:1
cmd.exe (fsutil.exe) /c "fsutil behavior set SymlinkEvaluation R2R:1"
The fsutil-based modifications are meant to allow for use of both remote and
local symlinks. BlackCat enables ‘remote to local’ and ‘remote to remote’
capability.
fsutil.exe behavior set SymlinkEvaluation R2R:1
cmd.exe (vssadmin.exe) /c "vssadmin.exe delete shadows /all /quiet"
reg.exe (CLI interpreter) add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
cmd.exe (worldwideStrata.exe) /c "C:\Users\admin1\Desktop\worldwideStrata.exe" --child
vssadmin.exe delete shadows /all /quietcmd.exe (ARP.EXE) /c "arp -a"
Some more recently-built copies have a few additions. For example, in sample
c1187fe0eaddee995773d6c66bcb558536e9b62c/c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40
we see the addition of:
wmic.exe Shadowcopy Delete"
"iisreset.exe /stop"
bcdedit.exe /set {default} recoveryenabled No
Much like other fine details, all this can be adjusted or configured by the
affiliates at the time of building the payloads.
BlackCat configurations are not necessarily tailored to the target operating
system. In the Linux variants we have analyzed to date, there are
Windows-specific process, service, and file references in the kill_processes,
kill_services, and exclude_directory_names.
The following excerpt is from sample
f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6.
Linux variant configuration
Specific encryption logic is not necessarily novel either and is somewhat
configurable by the affiliate at the time of building the ransomware payloads.
BlackCat supports both ChaCha20 and AES encryption schemes.
Extensions on encrypted files can vary across samples. Examples observed include
.dkrpx75, .kh1ftzx and .wpzlbji.
BlackCat ransomware execution chain (Windows version)
POST-INFECTION, PAYMENT AND PORTAL
Infected clients will be greeted with a ransom note as well as a modified
desktop image.
BlackCat’s modified desktop image
Infected uses are instructed to connect to the attackers’ payment portal via
TOR.
BlackCat ransom note
The ransom note informs the victim that not only have files been encrypted but
data has been stolen.
Victim’s are threatened with data leakage if they refuse to pay and provided
with a list of data types that have been stolen.
In theory, once victims connect to the attacker’s portal, they are able to
communicate and potentially acquire a decryption tool. Everything on the
BlackCat portal is tied back to the specific target ID, which must be supplied
correctly from the URL in the ransom note.
CONCLUSION
In its relatively short time on the radar, BlackCat has carved a notable place
for itself amongst mid-tier ransomware actors. This group knows their craft and
are cautious when selecting partners or affiliates. It is possible that some of
the increased affiliation and activity around BlackCat is attributed to other
actors migrating to BlackCat as larger platforms fizzle out (Ryuk, Conti,
LockBit and REvil).
Actors utilizing BlackCat know their targets well and make every attempt to
stealthily compromise enterprises. Prevention by way of powerful, modern,
endpoint security controls are a must. The SentinelOne Singularity Platform is
capable of detecting and preventing BlackCat infections on both Windows and
Linux endpoints.
INDICATORS OF COMPROMISE
SHA256
0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
1af1ca666e48afc933e2eda0ae1d6e88ebd23d27c54fd1d882161fd8c70b678e
28d7e6fe31dc00f82cb032ba29aad6429837ba5efb83c2ce4d31d565896e1169
2cf54942e8cf0ef6296deaa7975618dadff0c32535295d3f0d5f577552229ffc
38834b796ed025563774167716a477e9217d45e47def20facb027325f2a790d1
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83
4e18f9293a6a72d5d42dad179b532407f45663098f959ea552ae43dbb9725cbf
59868f4b346bd401e067380cac69080709c86e06fae219bfb5bc17605a71ab3f
731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161
74464797c5d2df81db2e06f86497b2127fda6766956f1b67b0dcea9570d8b683
7b2449bb8be1b37a9d580c2592a67a759a3116fe640041d0f36dc93ca3db4487
7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e
bd337d4e83ab1c2cacb43e4569f977d188f1bb7c7a077026304bf186d49d4117
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40
c8b3b67ea4d7625f8b37ba59eed5c9406b3ef04b7a19b97e5dd5dab1bd59f283
cefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae
f815f5d6c85bcbc1ec071dd39532a20f5ce910989552d980d1d4346f57b75f89
f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6
SHA1
087497940a41d96e4e907b6dc92f75f4a38d861a
11203786b17bb3873d46acae32a898c8dac09850
2a53525eeb7b76b3d1bfe40ac349446f2add8784
45212fa4501ede5af428563f8043c4ae40faec76
57a6dfd2b021e5a4d4fe34a61bf3242ecee841b3
5869820f261f76eafa1ba00af582a9225d005c89
5c6ca5581a04955d8e4d1fa452621fbc922ecb7b
655c2567650d2c109fab443de4b737294994f1fd
783b2b053ef0345710cd2487e5184f29116e367c
89060eff6db13e7455fee151205e972260e9522a
9146a448463935b47e29155da74c68d16e0d7031
94f025f3be089252692d58e54e3e926e09634e40
a186c08d3d10885ebb129b1a0d8ea0da056fc362
c1187fe0eaddee995773d6c66bcb558536e9b62c
ce5540c0d2c54489737f3fefdbf72c889ac533a9
d65a131fb2bd6d80d69fe7415dc1d1fd89290394
da1e4a09a59565c5d62887e0e9a9f6f04a18b5f4
e17dc8062742878b0b5ced2145311929f6f77abd
e22436386688b5abe6780a462fd07cd12c3f3321
f466b4d686d1fa9fed064507639b9306b0d80bbf
MITRE ATT&CK
T1027.002 – Obfuscated Files or Information: Software Packing
T1027 – Obfuscated Files or Information
T1007 – System Service Discovery
T1059 – Command and Scripting Interpreter
TA0010 – Exfiltration
T1082 – System Information Discovery
T1490 – Inhibit System Recovery
T1485 – Data Destruction
T1078 – Valid Accounts
T1486 – Data Encrypted For Impact
T1140 – Encode/Decode Files or Information
T1202 – Indirect Command Execution
T1543.003 – Create or Modify System Process: Windows Service
T1550.002 – Use Alternate Authentication Material: Pass the Hash
RaaS
Ransomware
SHARE
PDF
JIM WALTER
Jim Walter is a Senior Threat Researcher at SentinelOne focusing on evolving
trends, actors, and tactics within the thriving ecosystem of cybercrime and
crimeware. He specializes in the discovery and analysis of emerging cybercrime
"services" and evolving communication channels leveraged by mid-level criminal
organizations. Jim joined SentinelOne following ~4 years at a security start-up,
also focused on malware research and organized crime. Previously, he spent over
17 years at McAfee/Intel running their Threat Intelligence and Advanced Threat
Research teams.
Prev
WADING THROUGH MUDDY WATERS | RECENT ACTIVITY OF AN IRANIAN STATE-SPONSORED
THREAT ACTOR
Next
HACKTIVISM AND STATE-SPONSORED KNOCK-OFFS | ATTRIBUTING DECEPTIVE HACK-AND-LEAK
OPERATIONS
RELATED POSTS
CYBERVOLK | A DEEP DIVE INTO THE HACKTIVISTS, TOOLS AND RANSOMWARE FUELING
PRO-RUSSIAN CYBER ATTACKS
November 25 2024
KRYPTINA RAAS | FROM UNSELLABLE CAST-OFF TO ENTERPRISE RANSOMWARE
September 23 2024
XEON SENDER | SMS SPAM SHIPPING MULTI-TOOL TARGETING SAAS CREDENTIALS
August 19 2024
SEARCH
Search ...
SIGN UP
Get notified when we post new content.
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Notice. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties. This site is protected by reCAPTCHA and the
Google Privacy Policy and Terms of Service apply.
Thanks! Keep an eye out for new content!
RECENT POSTS
* LABScon24 Replay | PKfail: Supply-Chain Failures in Secure Boot Key
Management
December 3, 2024
* LABScon24 Replay | A 30-Year Journey from Compilation Student to
Decompilation Pioneer
November 26, 2024
* CyberVolk | A Deep Dive into the Hacktivists, Tools and Ransomware Fueling
Pro-Russian Cyber Attacks
November 25, 2024
LABS CATEGORIES
* Crimeware
* Security Research
* Advanced Persistent Threat
* Adversary
* LABScon
* Security & Intelligence
SENTINELLABS
In the era of interconnectivity, when markets, geographies, and jurisdictions
merge in the melting pot of the digital domain, the perils of the threat
ecosystem become unparalleled. Crimeware families achieve an unparalleled level
of technical sophistication, APT groups are competing in fully-fledged cyber
warfare, while once decentralized and scattered threat actors are forming
adamant alliances of operating as elite corporate espionage teams.
RECENT POSTS
* LABScon24 Replay | PKfail: Supply-Chain Failures in Secure Boot Key
Management
December 3, 2024
* LABScon24 Replay | A 30-Year Journey from Compilation Student to
Decompilation Pioneer
November 26, 2024
* CyberVolk | A Deep Dive into the Hacktivists, Tools and Ransomware Fueling
Pro-Russian Cyber Attacks
November 25, 2024
SIGN UP
Get notified when we post new content.
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Notice. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties. This site is protected by reCAPTCHA and the
Google Privacy Policy and Terms of Service apply.
Thanks! Keep an eye out for new content!
* Twitter
* LinkedIn
©2024 SentinelOne, All Rights Reserved.
We'd like to show you notifications for the latest news and updates.
AllowCancel
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.
Cookies Settings Accept All Cookies
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices