BlackCat Ransomware Improved Data Output and Steal Veeam Passwords

When analyzing the BlackCat / ALPHV ransomware attacks in August, Symantec experts (those who went under the wing of Broadcom) discovered a new, more secretive version of the Exmatter data exfiltration tool. Observers also noted the use of additional malware – the Eamfo infostealer, which can steal credentials saved with Veeam.

Cross-platform malware BlackCat, which Symantec calls Noberus, is considered by many to be the successor to BlackMatter and Darkside. Ransomware operators are constantly updating their techniques and tactics to improve the effectiveness of their attacks.

The use of Exmatter allows ransomware to silently download data from the corporate network – before encryption is launched. Stolen information also becomes a means of blackmail: they threaten to publish it if the ransom for the decryption key is not paid.

The creators of the new version of Exmatter have reduced the list of file search extensions to 19 positions (.pdf, .doc, .docx, .xls, .xlsx, .png, .jpg, .jpeg, .txt, .bmp, .rdp, .txt, .sql, .msg, .pst, .zip, .rtf, .ipt, .dwg). Of the other innovations, analysts noted the following:

data output via FTP, in addition to SFTP and WebDav; creating a report with a list of all processed files; file corruption during processing (functionality is disabled for now); self-removal in the absence of a corporate environment (outside the Active Directory domain); deprecation of Socks5 support; deployment using Windows group policies.

The analysis also showed that the malicious code was largely rewritten – even the remaining functions were implemented

Read more

Explore the site

More from the blog

Latest News