ALPHV ! Black Cat Ransomware in Rust

Black Cat With Big Yellow Eyes On A Black Background Stock Photo - Download Image Now - iStock

Researchers have discovered the first professional ransomware strain that was coded in the Rust programming language and was deployed against companies in real-world attacks. The ransomware is named ALPHV (aka BlackCat). The ransomware is technically the third ransomware strain written in Rust after a PoC strain was released on GitHub late 2020.

ALPHV is the first one to be created and deployed in the wild by what looks to be a professional cybercrime cartel. The author was believed previously involved with the infamous REvil ransomware cartel in some sort of capacity.

Advertisements

Following REvil’s model, this individual also going by the name of ALPHV has been advertising a Ransomware-as-a-Service (RaaS) of the same name on two underground cybercrime forums (XSS and Exploit), inviting others to join and launch attacks against companies to extract ransom payments. Those who apply, known as “affiliates,” receive a version of the ALPHV ransomware they can use in attacks.

Among the features they advertise is the ability to encrypt data on Windows, Linux, and VMWare eSXI systems, and the ability for “affiliates” to earn between 80% and 90% of the final ransom, depending on the total sum they extract from victims.

The BlackCat gang’s preferred initial entry vector is currently unknown, but once they breach a network, they search and steal sensitive files and then encrypt local systems. The group engages in double extortion, where they use the stolen data to put pressure on victims to pay, threatening to leak the stolen data if they don’t.

At present, the group seems to be operating multiple leak sites, with each of these hosting the data of one or two victims, with ALPHV (BlackCat) creating a new one to use in new attacks. A theory is that these leak sites are currently being hosted by the ALPHV (BlackCat) affiliates themselves, which explains the different leak URLs.