In an effort to stay ahead of improvements in automated detections and preventions, adversary groups continually look to new tactics, techniques and procedures (TTPs), and new tooling to progress their mission objectives. One group — known as BlackCat/ALPHV — has taken the sophisticated approach of developing their tooling from the ground up, using newer, more secure languages like Rust and highly customized configuration options per victim.

While these techniques and tools may be sophisticated, the CrowdStrike Falcon® platform in combination with Falcon OverWatch proactive human-driven hunting proved effective in blocking and unraveling this novel threat. OverWatch gave the victim organization context-rich notifications about the emerging threat to their environment, providing essential information for this organization to secure themselves against a novel eCrime threat. OverWatch is continually hunting to unearth evolving TTPs used by big game hunting (BGH) ransomware adversaries and other highly impactful intrusions as highlighted in this recent unsuccessful ransomware attack.

In late 2021, CrowdStrike Intelligence first became aware of BlackCat/ALPHV advertising to affiliates on underground forums. The group advertised a newly developed Rust-based ransomware-as-a-service (RaaS) offering, along with an enticing affiliate program that allows affiliates to retain a relatively generous 80% to 90% compared to the more typical 30% to 60%, depending on the RaaS and how successful it is.

By the end of January 2022, within weeks of launching, BlackCat/ALPHV had already gained notoriety for its expertise and aggressive approach to extorting victims. Extortion techniques used by BlackCat/ALPHV and affiliates include naming victims on a dedicated leak site (DLS), threatening to leak data on the DLS, encrypting data through ransomware, and finally implementing distributed denial of service (DDoS) attacks.

Good for Victim When BlackCat Crosses OverWatch’s Path

This blog details an unsuccessful BlackCat ransomware attack on an organization in the technology sector. OverWatch worked as a seamless extension of the Falcon platform to trace and track the adversary’s movements, providing critical context to the victim organization to facilitate comprehensive remediation.

Despite the adversary’s use of the novel BlackCat tooling, the Falcon sensor effectively blocked the attack, both preventing the deletion of volume shadow copies and the execution of the ransomware tool itself. Just as adversaries continuously evolve their approaches, the CrowdStrike Falcon® platform is continuously honed to detect and prevent emerging malicious activity. The Falcon platform takes a layered approach to detecting and preventing ransomware by using behavior-based indicators of attack (IOAs) and advanced machine learning (ML). Its detection capabilities are also informed by OverWatch’s front-line insights into novel threats.

Figure 1. Falcon sensor detects and blocks critical severity attempt to delete volume shadow copies (Click to enlarge)

The Falcon platform’s detection and automated prevention of malicious activity sparked a rapid retrospective hunt to understand the threat to the victim’s environment, which revealed that the intrusion had stemmed from an unmanaged host. OverWatch is adept at finding adversary discovery activity or attempts to establish a persistent foothold in a victim’s environment. However, in this particular intrusion, the adversary gained initial access on a host that did not have the Falcon sensor installed, meaning that there was no visibility of this pre-ransomware activity for OverWatch. Despite this, OverWatch was still able to effectively track the adversary and provide the victim organization with a rapid context-rich notification about the activity underway in its environment before serious damage was done.

Upon investigation, OverWatch quickly uncovered the adversary’s use of “sender2” — identified as a file exfiltration tool (also known as Exmatter) — that was executed remotely with PsExec from an unmanaged host.

The sample sender2 executable crawls the computer for files with a list of file extensions and is configured to send them to a remote server via the SFTP or WebDAV protocols. In the activity observed by OverWatch, the tool was set to evade detection in the following ways:

Self-deletion powershell.exe command:

powershell.exe -WindowStyle Hidden -C $path = '\\\\[REDACTED]\\123\\sender.exe';Get-Process | Where-Object {$_.Path -like $path} | Stop-Process -Force;[byte[]]$arr = new-object byte[] 830483531;Set-Content -Path $path -Value $arr;Remove-Item -Path $path;

Further analysis of the tool also revealed that the sample had a build time of approximately one hour before it was deployed, indicating that the adversary likely compiled the executable specifically for this intrusion.

Figure 2. OverWatch detects malicious file exfiltration tool “sender2,” executed under PsExecSvc.exe (Click to enlarge)

After the attempted data exfiltration, the adversary moved to deploy the BlackCat ransomware. The ransomware executable file was masquerading under the name of a legitimate third-party managed service security provider (MSSP). The ransomware was executed remotely under PsExec, from a network shared folder named 123 and was launched as a child process of Microsoft’s File Explorer tool in another attempt to evade detection.

Powered by Fruition