BlackCat operates as a ransomware-as-a-service (RaaS) business model and allows affiliates to keep 80% to 90% of the ransom payments while the rest goes to the ransomware author. Palo Alto Networks released its findings on Thursday, January 27. They said that so far most of BlackCat’s victims are based in the US. The victims are organizations in a wide variety of sectors like construction, engineering, commercial services, retail, insurance, machinery, telecommunication, auto components, pharmaceuticals, professional services, and transportation. The RaaS aggressively names and shames its victims. In little over a month, BlackCat has listed more than a dozen victims on their leak website.
How Does BlackCat RaaS Operate?
BlackCat solicits affiliates to deploy its ransomware through known cybercrime forums. They interview and vet affiliates before accepting them into the RaaS group. After getting in, affiliates receive unique access to a Tor-based control panel. The authors wrote the control panel in Russian language. It provides updates and announcements on how to deploy and operate the ransomware. It also contains troubleshooting information for affiliates. Affiliates also get access to a name-and-shame blog, where the names of victims who have not complied are posted. Palo Alto said the blog has been updated regularly since the group was discovered. While a majority of BlackCat targets are in the US, its affiliates have also attacked organizations in Europe and the Philippines.
BlackCat Ransomware Uses Rust Programming Language
BlackCat’s authors have coded the ransomware in the Rust programming language. Rust is growing in popularity for its “fast and high performance, powerful web application development, low overhead for embedded programming, and memory management resolution.” While BlackCat is not the first malware to use Rust, it is perhaps the first ransomware to do so. Furthermore, Rust allows for individualized and customized attacks. As a result, researchers have found BlackCat targeting both Linux and Windows systems. Affiliates that use the BlackCat ransomware are called the “BlackCat Gang.” They use common ransomware practices like multiple extortion techniques. These include siphoning victim data prior to deployment, threats to make stolen data public, as well as distributed denial-of-service (DDoS) attacks. Palo Alto Networks’ blog post contains additional information on their services, which they claim can help detect and prevent BlackCat Ransomware. If you found this article interesting, and are keen to know more about ransomware-as-a-service, check out our detailed article here.