← All stories

Huntress

BlackCat Ransomware Affiliate TTPs | Huntress

2024-02-28 · Read original ↗

ATT&CK techniques detected

15 predictions

T1486Data Encrypted for Impact

99%

"blackcat ransomware affiliate ttps | huntress background on december 19, 2023, the justice department office of public affairs issued a press release indicating that the fbi had “ disrupted the alphv / blackcat ransomware variant. ” this variant of ransomware is offered to affili…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

99%

"file encryption. summary the threat actor was connected to the endpoint via the second identified screenconnect instance for just under three minutes, and during that time was able to download a copy of the ransomware executable to the endpoint, react to the file being quarantine…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

98%

"- token d72766a868fef87c0c073c1ec3b6a92b7daed7313b81ee6523386049f768b09d - - no - prop - servers \ \ < netbios name > - - propagated these commands, which were child processes of the ransomware executable process, were clearly intended to allow the ransomware to move laterally to…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

97%

"- - access - token d72766a868fef87c0c073c1ec3b6a92b7daed7313b81ee6523386049f768b09d for the uninitiated, one of the aspects of raas ransomware products is that the executable files will often contain embedded commands used to disable security products and obviate recovery. after …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

91%

"and included references to screenconnect ( see table 4, “ network indicators ”, in the advisory ). the attack huntress has an extremely diverse customer base, spanning a wide range of geographic locations and business verticals. on february 22, 2024, huntress soc analysts respond…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1080Taint Shared Content

87%

"- token d72766a868fef87c0c073c1ec3b6a92b7daed7313b81ee6523386049f768b09d - - no - prop - servers \ \ < netbios name > - - propagated these commands, which were child processes of the ransomware executable process, were clearly intended to allow the ransomware to move laterally to…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1490Inhibit System Recovery

83%

"- - access - token d72766a868fef87c0c073c1ec3b6a92b7daed7313b81ee6523386049f768b09d for the uninitiated, one of the aspects of raas ransomware products is that the executable files will often contain embedded commands used to disable security products and obviate recovery. after …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1068Exploitation for Privilege Escalation

80%

"shell defense evasion - t1562. 001, disable / modify tools privilege escalation - t1078. 002, valid domain accounts impact - t1486, data encrypted for impact impact - t1490, inhibit system recovery"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1080Taint Shared Content

65%

"file encryption. summary the threat actor was connected to the endpoint via the second identified screenconnect instance for just under three minutes, and during that time was able to download a copy of the ransomware executable to the endpoint, react to the file being quarantine…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1219Remote Access Tools

44%

"##ct instances running. from the available logs, the first screenconnect instance, which reported back to the msp infrastructure and was likely legitimate, was installed on november 10, 2021. at that time, the installed screenconnect version was 20. 10. 957. 7556. on february 20,…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1134Access Token Manipulation

41%

"- three seconds later, the file c : \ windows \ system32 \ iw0pjckezadktma5xkv8zxs6. exe was detected by windows defender, and the file was successfully quarantined at 14 : 10 : 31 utc. at 14 : 11 : 46 utc, the windows defender spynetreporting value was changed from 2 to 0, essen…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1055.001Dynamic-link Library Injection

39%

"shell defense evasion - t1562. 001, disable / modify tools privilege escalation - t1078. 002, valid domain accounts impact - t1486, data encrypted for impact impact - t1490, inhibit system recovery"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1080Taint Shared Content

39%

"blackcat ransomware affiliate ttps | huntress background on december 19, 2023, the justice department office of public affairs issued a press release indicating that the fbi had “ disrupted the alphv / blackcat ransomware variant. ” this variant of ransomware is offered to affili…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1059.004Unix Shell

34%

"shell defense evasion - t1562. 001, disable / modify tools privilege escalation - t1078. 002, valid domain accounts impact - t1486, data encrypted for impact impact - t1490, inhibit system recovery"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1080Taint Shared Content

31%

"and included references to screenconnect ( see table 4, “ network indicators ”, in the advisory ). the attack huntress has an extremely diverse customer base, spanning a wide range of geographic locations and business verticals. on february 22, 2024, huntress soc analysts respond…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

This blog post provides a detailed look at the TTPs of a ransomware affiliate operator. In this case, the endpoint had been moved to another infrastructure (as illustrated by various command lines, and confirmed by the partner), so while Huntress SOC analysts reported the activity to the partner, no Huntress customer was impacted by the ransomware deployment.