What is BlackCat ransomware in crypto?

The rise of crypto ransomware attacks

As a seasoned cybersecurity professional with over two decades of experience under my belt, I can confidently say that the evolving landscape of ransomware attacks is nothing short of breathtaking – or should I say, heart-stopping? The case of BlackCat ransomware is particularly alarming due to its rapid scaling and diverse targets.

Ransomware attacks continue to plague the cryptocurrency world, and one of the most notable players is the BlackCat group.

It’s common nowadays for ransomware attacks to focus on digital currencies like cryptocurrencies. The allure of cryptocurrency lies in its anonymity and lack of a central authority, making it appealing to cybercriminals. More and more, these criminals are drawn to the relative anonymity offered by crypto transactions and their convenience for moving funds across borders.

2024 saw an alarming increase in the number and intensity of ransomware attacks, with groups like BlackCat capitalizing on their characteristics by asking for payments in cryptocurrency. This makes it more challenging for law enforcement to track down and recover the stolen funds.

Chainalysis’ cryptocurrency-cybercrime report pointed to this growing trend:

• $1.9 billion in ransomware payments recorded in 2024 by mid-year, an 80% increase from the previous year.
• The average ransom demand rose 30% in 2024, reaching nearly $6 million per attack.

In my analysis, it’s not only large corporations such as MGM Resorts or UnitedHealth that have been subjected to ransom demands in cryptocurrencies worth millions of dollars. Individual investors are also finding themselves in the crosshairs. These cybercriminals are employing increasingly complex strategies, like double extortion, where they not only encrypt data but also threaten to disclose sensitive information unless an additional payment is made.

What strategies could the cryptocurrency sector employ to counteract these complex assaults? Let’s delve into the tactics of the BlackCat ransomware group, understand their methods, and explore potential ways to safeguard against the rising dangers in the blockchain environment.

BlackCat ransomware attack explained

The BlackCat (or alternatively, Noberus or ALPHV) ransomware is a malicious software that has been developed by a collective of cybercriminals who primarily speak Russian.

BlackCat is a notorious ransomware group operating on a service-basis, frequently grabbing attention for its destructive activities within the cryptocurrency sphere. This group emerged in November 2021 and has since launched attacks against numerous organizations globally, with Reddit being one of its victims in 2023 and Change Healthcare suffering an attack in 2024.

BlackCat, a type of ransomware, follows a specific method of operation: it penetrates systems, scrambles data, and then asks for large sums of cryptocurrency as ransom to re-access the data. What makes BlackCat unique among other ransomwares is its sophisticated coding design and adaptable attack strategies, which are frequently fine-tuned to exploit the weaknesses of specific targets, making it extremely efficient.

Initially developed, BlackCat operated across multiple platforms such as Windows and Linux. It utilized the less commonly used Rust programming language, granting it the ability to offer high adaptability and swiftness in its encryption processes.

By 2024, BlackCat intensified its operations, capitalizing on vulnerabilities in both corporate networks and cryptocurrency systems. The attacks typically employ a two-pronged strategy: data encryption and the theft of sensitive information, along with threats to publicize this information unless an extra ransom is paid. This approach provides the group with significant power over its targets.

One chilling aspect of BlackCat is its unique mode of operation. It employs a decentralized affiliate system, allowing it to amass hackers worldwide who can coordinate and execute attacks at will. Each affiliate is equipped with customizable attack payloads, making BlackCat adept at exploiting weaknesses and striking where it causes maximum damage. In essence, BlackCat possesses the ability to identify vulnerabilities and inflict pain precisely.

Did you know? The US Department of State is offering a reward of up to $10 million for information leading to the identification or location of individuals in key leadership positions within the group behind the BlackCat ransomware attacks.

How BlackCat ransomware works

BlackCat ransomware is notorious for its methodical and strategic actions in cybercrime, posing a significant danger in the digital world.

Here’s a breakdown of how BlackCat ransomware operates:

• Initial access: BlackCat typically infiltrates systems through phishing emails, stolen credentials or exploiting unpatched vulnerabilities.
• Establishing persistence: Attackers install backdoors to maintain access and harvest credentials for lateral movement within the network.
• Data encryption: Using the Rust programming language, BlackCat encrypts important files, rendering them unusable without the decryption key.
• Double extortion: Attackers steal data before encrypting it, threatening to leak it if the ransom is not paid.
• Ransom demands: Payments in cryptocurrencies like Bitcoin (BTC) or Monero (XMR), equating to millions of dollars, are demanded, ensuring the attacker’s anonymity.
• Customizable attacks: Affiliates can tailor the ransomware to specific victims, targeting Windows or Linux platforms with advanced techniques to avoid detection.

Victims are compelled to pay ransoms using cryptocurrencies, ensuring anonymity and making it extremely difficult for law enforcement to trace or reclaim the funds. The emergence of BlackCat serves as a stark warning about the significance of safeguarding digital assets and infrastructure from the constantly evolving cyber threats that persist in the crypto space.

Have you heard that BlackCat operates using the Rust programming language, allowing it to work seamlessly on both Windows and Linux platforms? This versatility makes it more adaptable compared to other types of ransomware.

BlackCat affiliates model

Affiliates are freelance cybercriminals who collaborate with the BlackCat organization, using their advanced Ransomware-as-a-Service structure and resources.

BlackCat’s success is built upon an affiliate system, where various parties help expand its influence far and wide. Let me explain this process:

• Affiliate program: Cybercriminals sign up for BlackCat’s program to access and distribute ransomware payloads.
• Profit-sharing model: Affiliates earn a significant portion of any ransom they collect, while a share is sent to the BlackCat developers.
• Double extortion tactics: Affiliates often use a two-pronged approach by encrypting data and threatening to leak it unless the ransom is paid.
• Customizable payloads: BlackCat provides affiliates with the ability to customize ransomware for specific targets, making attacks harder to defend against.
• Cryptocurrency payments: Affiliates demand ransoms in crypto, which provides anonymity and makes tracing payments exceedingly difficult.

As an analyst, I can say that by adopting an affiliate model, BlackCat has accelerated its growth exponentially, allowing it to strike high-value objectives spanning multiple industries.

BlackCat ransomware institutional attacks

The BlackCat organization has successfully attacked prominent businesses, resulting in substantial disruptions to their operations and finances.

As a crypto investor, I’ve come across some striking instances that underscore the broad impact and intensity of BlackCat’s institutional assaults. Here are a few noteworthy examples:

• Oil tanking group and Mabanaft attack: BlackCat struck OilTanking Group and Mabanaft in early 2022. The attack shut down their fuel storage and distribution systems, significantly disrupting supply chains in Germany. The hackers demanded a substantial ransom to release encrypted systems, though the exact amount was not widely disclosed (with 5-7 days allotted to purchase Bitcoin or Monero cryptocurrency for making ransom payments). No arrests were reported in connection with this attack. ​
• MGM Resorts and Caesars Entertainment: In September 2023, BlackCat was involved in a high-profile ransomware attack on MGM Resorts International and Caesars Entertainment. The stakes were high — Caesars initially faced a demand for $30 million in Bitcoin but managed to negotiate down to $15 million. MGM Resorts, however, refused to pay the ransom, leading to weeks-long operational shutdowns and a financial loss of $100 million for the quarter. This attack was executed by the BlackCat affiliate Scattered Spider, a group of American and British hackers​.
• Change Healthcare: In early 2024, BlackCat attacked Change Healthcare, a subsidiary of UnitedHealth Group, resulting in the theft of sensitive patient data and operational disruptions. To recover their systems, Change Healthcare reportedly paid a $22 million ransom in Bitcoin. This event highlighted the growing risk of ransomware attacks in the health-care sector and the precarious position companies are in when dealing with these cybercriminals​.

Protect against BlackCat ransomware

Understanding root causes and how ransomware operates is the first step toward protecting against them.

To protect against BlackCat ransomware, it is critical to avoid mistakes and take protective measures, including:

• Regularly back up your data: Frequent, encrypted backups stored offline can be a lifeline if your files are encrypted.
• Establish strong cybersecurity protocols: Ensure the organization’s cybersecurity team conducts regular vulnerability assessments and enforces security protocols like multi-factor authentication and network monitoring. 
• Employee training: The team should also provide training to employees to ensure everyone understands and follows security best practices across official work channels and platforms. 
• Install antivirus software: A robust antivirus system can help detect and stop the malware before it encrypts your files.
• Cautious of phishing attempts: Be active in spotting and avoiding phishing emails that might carry ransomware payloads.
• Employ password management systems: Enforcing regular password updates can prevent cybercriminals from gaining access to accounts.
• Segment your network: Isolating parts of your network can limit the spread of ransomware​. 

Even though they are under pressure from global law enforcement agencies, BlackCat continues to pose a substantial risk in the year 2024. As such, it’s crucial for cryptocurrency users to remain alert, fortify their cybersecurity defenses, and keep abreast of developing ransomware menaces.