The Linux variant of BlackCat is a single executable that, when executed on the target’s system, will encrypt portions of the file system and instruct the target to pay a ransom to decrypt the files.
Command-Line Arguments
The ransomware requires a hexadecimal access token, passed via the “--access-token" command line argument. Some additional, optional arguments include:
- --child: run as child process
- --help: print usage
- --log-file: print output to specific log file
- --no-vm-kill: refrain from killing running ESXi VMs
- --paths: encrypt only specified path
- --ui: user interface mode as displayed below
Config
Each sample stores a read-only JSON configuration section that is visible in plaintext on disk. This is customized by the attacker per ransomware sample for targeted attacks. Specific configurations such as the name of the target entered in the ransom note, or explicit credentials of a machine are added in this section if they are known to the attacker. The following additional information can be found as well:
- public_key
- extension: extension encrypted files are given
- note_file_name: name of the ransom note
- note_full_text: ransom note text with target sections to be propagated at runtime
- credentials: optional hardcoded credentials to the target machine
- kill_services: services to be terminated before running the ransomware
- kill_processes: processes to be terminated before running the ransomware
- exclude_directory_names: directories to avoid encrypting
- exclude_file_names: file names to avoid encrypting
- exclude_file_extensions: file extensions to avoid encrypting
- esxi_vm_kill_exclude: hardcoded virtual machine (VM) name to avoid terminating
- For example: excluding the domain controller
Locker Rust Modules
The ransomware includes multiple rust libraries shared between samples used for file traversal, thread management, bash commands, and ESXi VM detection. The last two are specific to Linux variations of BlackCat, with the first also shared with Windows samples. A full list can be found below:
- locker::core::cluster
- locker::core::discoverer
- locker::core::pipeline::chunk_workers_supervisor
- locker::core::pipeline::file_worker_pool
- locker::core::pipeline::file_worker_pool_core
- locker::core::renderer
- Calculates speed of encryption processing
- locker::core::stack
- locker::core::os::linux::command
- Linux bash command execution
- locker::core::os::linux::esxi
- encrypt_app::linux
Targets ESXi
This is a family of ransomware which targets ESXi servers specifically. An entire Rust module is devoted to the detection of ESXi on the afflicted machine. This behavior is similar to Sodinokibi (REVil) and shares the same commands, in the same order, used to kill the ESXi processes. This ransomware is capable of:
- Detecting the ESXi version installed on the targeted server
- Killing processes associated with ESXi
- Prevents running processes avoiding encryption
- Encrypting VMFS (VMware Virtual Machine File System) volumes
- Removing VM snapshots
Encryption
If no ESXi installation or VMs are on the targeted system, the ransomware simply encrypts the entire disk apart from the specified exclusion files. The ransomware uses a common technique for encryption. It generates a private key at runtime and can use AES or ChaCha20 to encrypt files. The sample also stores an RSA public key on disk for encrypting the secret key. By extracting the crate URLs from the ransomware, it is even possible to detect the specific Rust versions of the encryption libraries utilized:
- aes-0.7.5
- chacha20-0.8.1
- rsa-0.5.0
- cipher-0.3.0
- pkcs1-0.2.4
- pkcs8-0.7.6
Displays ransom note
After successfully encrypting the files on the target device, the ransomware writes the ransom note named “RECOVER-${EXTENSION}-FILES.txt,” where “${EXTENSION}” is the extension of the encrypted files as specified in the config. An example of the ransom note can be seen below:
Multithreading
It begins by spawning multiple worker processes in parallel via clone and synchronizes over a local network socket on port 61069. This is beneficial for encryption as it allows the process to handle multiple files simultaneously and encrypt the contents of the server faster.
Indicators of compromise (IOCs)
|
SHA-256
|
File type
|
File size
|
|
02143f754f75dfd17cec58c113b7b5f95886649f57f9b28fe6abe1f1910fcc66
|
ELF32
|
1930768
|
|
0339766b9f281d21444e0363a863b313eb22d1512e5865c917f65ff2921d0b22
|
ELF64
|
1922056
|
|
b0f466208c3100fb08fa04865851efe244731a6cfede46fabcd5980e3404aab7
|
ELF64
|
1922056
|
|
f8a816938c8c709459b81cc38d877f0d32de47dd9d42a37ca6bf466e8aa953df
|
ELF64
|
1922056
|
These previously unknown samples are largely the same as the publicly known samples, except for slight variations in the embedded configuration.
Linux Variant
f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6
5121f08cf8614a65d7a86c2f462c0694c132e2877a7f54ab7fcefd7ee5235a42
f7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083
