Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Software
  3. BlackCat

BlackCat

BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021,BlackCat has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.[1][2][3]

ID: S1068
Associated Software: ALPHV, Noberus
Type: MALWARE
Platforms: Linux, Windows
Contributors: Hiroki Nagahama, NEC Corporation; Josh Arenas, Trustwave Spiderlabs; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India
Version: 1.1
Created: 28 February 2023
Last Modified: 21 October 2025

Associated Software Descriptions

NameDescription
ALPHV

[1][3]

Noberus

[3]

Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1548.002Abuse Elevation Control Mechanism:Bypass User Account Control

BlackCat can bypass UAC to escalate privileges.[1]

EnterpriseT1134Access Token Manipulation

BlackCat has the ability modify access tokens.[1][2]

EnterpriseT1087.002Account Discovery:Domain Account

BlackCat can utilizenet use commands to identify domain users.[1]

EnterpriseT1059.003Command and Scripting Interpreter:Windows Command Shell

BlackCat can execute commands on a compromised network with the use ofcmd.exe.[1]

EnterpriseT1486Data Encrypted for Impact

BlackCat has the ability to encrypt Windows devices, Linux devices, and VMWare instances.[1]

EnterpriseT1491.001Defacement:Internal Defacement

BlackCat can change the desktop wallpaper on compromised hosts.[1][2]

EnterpriseT1561.001Disk Wipe:Disk Content Wipe

BlackCat has the ability to wipe VM snapshots on compromised networks.[1][2]

EnterpriseT1083File and Directory Discovery

BlackCat can enumerate files for encryption.[1]

EnterpriseT1222.001File and Directory Permissions Modification:Windows File and Directory Permissions Modification

BlackCat can use Windows commands such asfsutil behavior set SymLinkEvaluation R2L:1 to redirect file system access to a different location after gaining access into compromised networks.[1]

EnterpriseT1070.001Indicator Removal:Clear Windows Event Logs

BlackCat can clear Windows event logs usingwevtutil.exe.[1]

EnterpriseT1490Inhibit System Recovery

BlackCat can delete shadow copies usingvssadmin.exe delete shadows /all /quiet andwmic.exe Shadowcopy Delete; it can also modify the boot loader usingbcdedit /set {default} recoveryenabled No.[1]

EnterpriseT1570Lateral Tool Transfer

BlackCat can replicate itself across connected servers viapsexec.[1]

EnterpriseT1680Local Storage Discovery

BlackCat can enumerate local drives.[1]

EnterpriseT1112Modify Registry

BlackCat has the ability to add the following registry key on compromised networks to maintain persistence:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Paramenters[1]

EnterpriseT1135Network Share Discovery

BlackCat has the ability to discover network shares on compromised networks.[1][2]

EnterpriseT1069.002Permission Groups Discovery:Domain Groups

BlackCat can determine if a user on a compromised host has domain admin privileges.[1]

EnterpriseT1018Remote System Discovery

BlackCat can broadcasts NetBIOS Name Service (NBNC) messages to search for servers connected to compromised networks.[1]

EnterpriseT1489Service Stop

BlackCat has the ability to stop VM services on compromised networks.[1][2]

EnterpriseT1082System Information Discovery

BlackCat can obtain the computer name and UUID.[1]

EnterpriseT1033System Owner/User Discovery

BlackCat can utilizenet use commands to discover the user name on a compromised host.[1]

EnterpriseT1047Windows Management Instrumentation

BlackCat can usewmic.exe to delete shadow copies on compromised networks.[1]

Groups That Use This Software

IDNameReferences
G1015Scattered Spider

Scattered Spider has deployedBlackCat ransomware to victim environments for financial gain.[4][5][6][7]

References

×
[8]ページ先頭
©2009-2026 Movatter.jp