Microsoft has found a new version of the BlackCat ransomware

News
By Sead Fadilpašić
published

Some call it BlackCat 2.0, some BlackCat 3.0, and some call it Sphynx.

security
(Image credit: Shutterstock / binarydesign)

Microsoft Threat Intelligence, the company’s cybersecurity arm, recently announced the discovery of a new strain of the infamous BlackCat ransomware variant. 

In a thread posted on Twitter, the company said the new version comes with two new additions that help ransomware operators move laterally across compromised networks.

The two additions include the open-source communication framework tool Impacket, and the Remcom hacking tool.

Impacket and Remcom

Impacket has been described as an open-source collection of Python classes for working with network protocols, more commonly used as a post-exploitation toolkit by pentesters, red teamers, and cybercriminals, as it allows them to move laterally throughout the network, dump credentials from processes, perform NTLM relay attacks, and more.

With BlackCat, Impacket is being used to dump credentials and execute the encryptor code remotely.

Read more

> The best firewall software

> LockBit ransomware has cost victims millions in the US alone

> The end of Reddit? Why the blackout is still going – and what happens next

The Remcom hacktool is also used for remote code execution and lateral movement, both facilitating encryptor deployment. 

Microsoft doesn’t seem to be the first one to have stumbled upon this updated version of BlackCat. BleepingComputer says that VX-Underground reported on it in April this year. Citing a message BlackCat operators sent to its affiliates, the publication says the new version is called Sphynx:

"The code, including encryption, has been completely rewritten from scratch. By default all files are frozen. The main priority of this update was to optimize detection by AV/EDR," the crooks said in their announcement. 

BleepingComputer also saw a private Microsoft 365 Defender Threat Analytics advisory in which Microsoft said Storm-0875 started using Sphynx in July this year. 

BlackCat is also known as ALPHV and was first launched in November 2021. It is widely considered as one of the most popular and most disruptive ransomware variants out there. 

In more recent news, BlackCat was responsible for an attack against Reddit, one of the biggest online forums. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.