Ransom:Win32/BlackCat.MK!MTB

Arrival

Attackers use brute-force techniques to get access to a target device and deploy the BlackCat ransomware payload. To run the ransomware, attackers use a hexadecimal access token through the --access-token command line argument.

Initialization

Upon initialization, this ransomware detects the network, including all the servers that are connected and identifies files for encryption.

To identify the additional devices, the process broadcasts NetBIOS Name Service (NBNS) notification. It then Uses PsExec tool to attempt replication on the responding severs using the compromised credentials.

Deletes backups and shadow copies

After identifying files to encrypt, this ransomware deletes backups and shadow copies of files and system volumes to prevent recovery of encrypted files. It uses the following commands to delete shadow copies:

• vssadmin.exe Delete Shadows /All /Quiet

Stops processes and services

This ransomware stops the following processes and services to bypass security controls ensure they don’t lock files targeted for encryption:

• Services

backup, mepocs, memtas, msexchange, sql, svc$, veeam, vss

• Processes

agntsvc, dbeng50, dbsnmp, encsvc, excel, firefox, infopath, isqlplussvc, mydesktopqos, mspub, msaccess, mydesktopservice, notepad, ocomm, onenote, outlook, oracle, ocautoupds, ocssd, powerpnt, synctime, sql, steam, sqbcoreservice, tbirdconfig, thunderbird, thebat, visio, winword, wordpad, xfssvccon

Excludes files and extensions

This ransomware excludes the following folders, files, and extensions to avoid affecting the operating system:

• Excluded folders

• Excluded files

• Excluded extensions

ani, adv, bat, bin, cab, cmd, com, cur, cpl, diagpkg, drv, diagcab, diagcfg, dll, deskthemepack, exe, hlp, hta, icns, ics, idx, icl, ico, key, lnk, lock, ldf, msi, msp, msc, msstyles, mod, mpa, msu, nls, nomedia, ocx, prf, ps1, pdb, rom, rtp, scr, sys, shs, spl, themepack, theme, wpx, 386

Privilege escalation

The ransomware custom privilege escalation module contains features for using masquerade PEB and User Account Control (UAC) bypass escalation techniques. If the ransomware is not run with administrative privileges, it can run a secondary process under DllHost.exe with the necessary permissions to encrypt the maximum number of files on a target device.

A chain of events where this escalation is occurring can be found in the Process Monitor (procmon).

Encrypts files

This ransomware uses an AES or ChaCha20 algorithm to encrypt files. It synchronizes over a local network socket on port 61069 and generates a private key at runtime, as well as multiple worker processes in parallel through clone. This is beneficial for encryption, as it allows the process to handle multiple files simultaneously and encrypt the contents of the server faster.

Displays ransom note

After encryption, this ransomware drops a text file named RECOVER-${EXTENSION}-FILES.txt in all the encrypted folders. The ransom note indicates that files have been encrypted and provides recovery instructions. The note also includes threats about disclosing data found on the device.

It then replaces the desktop background image