From fa9829cec06ce7bb55fa18e5aa452f685b3164d7 Mon Sep 17 00:00:00 2001 From: Kevin Holvoet <1122246+digihash@users.noreply.github.com> Date: Wed, 2 Feb 2022 18:50:19 +0100 Subject: [PATCH 1/4] Update ransomware.json: add BlackCat (ALPHV) --- clusters/ransomware.json | 202 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 200 insertions(+), 2 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 539bf91..e040c71 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -5291,7 +5291,7 @@ ], "refs": [ "http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip", - "http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/", + "http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-nues-the-trend-of-accepting-amazon-cards/", "https://twitter.com/malwarebread/status/804714048499621888" ], "synonyms": [ @@ -24225,6 +24225,204 @@ "uuid": "feb5fa26-bad4-46da-921d-986d2fd81a40", "value": "WhisperGate" } + { + "description": "BlackCat (ALPHV) is ransomware written in Rust. The ransomware makes heavy use of plaintext JSON configuration files to specify the ransomware functionality. BlackCat has many advanced capabilities like escalating privileges and bypassing UAC make use of AES and ChaCha20 or Salsa encryption, may use the Restart Manager, can delete volume shadow copies, can enumerate disk volumes and network shares automatically, and may kill specific processes and services. The ransomware exists for both Windows, Linux, and ESXi systems. Multiple extortion techniques are used by the BlackCat gang, such as exfiltrating victim data before the ransomware deployment, threats to release data if the ransomw is not paid, and distributed denial-of-service (DDoS) attacks.", + "meta": { + "date": "June 2021", + "encryption": [ + "AES", + "ChaCha20", + "Salsa" + ], + "ransomnotes-refs": [ + "https://unit42.paloaltonetworks.com/wp-content/uploads/2022/01/word-image-78.png" + ], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat", + "https://1-id--ransomware-blogspot-com.translate.goog/2021/12/blackcat-ransomware.html?_x_tr_enc=1&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=ru", + "https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809", + "https://github.com/f0wl/blackCatConf", + "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", + "https://www.varonis.com/blog/alphv-blackcat-ransomware", + "https://www.intrinsec.com/alphv-ransomware-gang-analysis", + "https://unit42.paloaltonetworks.com/blackcat-ransomware/" + ], + "synonyms": [ + "ALPHV" + ] + }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + "uuid": "e6c09b63-a424-4d9e-b7f7-b752cbbca02a", + "value": "BlackCat" + } ], - "version": 99 + "version": 100 } From 389add75803e20657799b76845c89f4a5afd4dc5 Mon Sep 17 00:00:00 2001 From: Kevin Holvoet <1122246+digihash@users.noreply.github.com> Date: Wed, 2 Feb 2022 18:54:31 +0100 Subject: [PATCH 2/4] Update ransomware.json with URL fix Fixed URL for AlphaLocker --- clusters/ransomware.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index e040c71..b1dd182 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -5291,7 +5291,7 @@ ], "refs": [ "http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip", - "http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-nues-the-trend-of-accepting-amazon-cards/", + "https://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-accepts-itunes-gift-cards-as-payment/", "https://twitter.com/malwarebread/status/804714048499621888" ], "synonyms": [ From 3d23f98d04634b592ff2d90613d63e30893caead Mon Sep 17 00:00:00 2001 From: Kevin Holvoet <1122246+digihash@users.noreply.github.com> Date: Wed, 2 Feb 2022 18:58:55 +0100 Subject: [PATCH 3/4] Forgot comma between JSON entries --- clusters/ransomware.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index b1dd182..12b958d 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -24224,7 +24224,7 @@ }, "uuid": "feb5fa26-bad4-46da-921d-986d2fd81a40", "value": "WhisperGate" - } + }, { "description": "BlackCat (ALPHV) is ransomware written in Rust. The ransomware makes heavy use of plaintext JSON configuration files to specify the ransomware functionality. BlackCat has many advanced capabilities like escalating privileges and bypassing UAC make use of AES and ChaCha20 or Salsa encryption, may use the Restart Manager, can delete volume shadow copies, can enumerate disk volumes and network shares automatically, and may kill specific processes and services. The ransomware exists for both Windows, Linux, and ESXi systems. Multiple extortion techniques are used by the BlackCat gang, such as exfiltrating victim data before the ransomware deployment, threats to release data if the ransomw is not paid, and distributed denial-of-service (DDoS) attacks.", "meta": { From 3328b73185f75ac37e1e0a91d2e1ba8b67b50e65 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 2 Feb 2022 22:32:39 +0100 Subject: [PATCH 4/4] fix: [ransomware] array end missing --- clusters/ransomware.json | 1 + 1 file changed, 1 insertion(+) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 12b958d..a882f00 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -24420,6 +24420,7 @@ ], "type": "uses" } + ], "uuid": "e6c09b63-a424-4d9e-b7f7-b752cbbca02a", "value": "BlackCat" }