BlackCat Ransomware Increases Demands Up to $2.5m

Cybersecurity researchers from Resecurity said they have detected a substantial increase in the value of ransom demand requests by the BlackCat ransomware group.

“Such tactics significantly affect ransomware underground ecosystems, hitting businesses of different sizes hard worldwide,” writes the company in an advisory.

“Based on the recently compromised victims in [the] Nordics region [...] the amount to be paid exceeds $2m.”

The threat actors (TA) behind BlackCat have been operating since at least November, launching major attacks such as the one against Italian luxury fashion brand Moncler in January, and the one targeting terminals in some of Europe’s biggest ports in February.

Now, the group is getting bolder, issuing $2.5m ransom demands, with a possible discount of close to half when the victim chooses to resolve the incident as soon as possible.

“The average time allocated for payment varies between 5-7 days, to give victims some time to purchase BTC or XMR cryptocurrency,” Resecurity wrote. “In case of difficulties, the victim may engage an ‘intermediary’ for [the] further recovery process.”

According to Resecurity, the average ransomware payment increased by 82% since 2020, setting a record high of $570,000 in the first half of 2021, and then almost doubling that by 2022.

“The latest forecast is for global ransomware extortion activity to reach $265bn by 2031, with total damages for businesses valued at $10.5tn globally.”

BlackCat is also known as "ALPHV", "AlphaVM" and "AphaV," and is a ransomware family created in the Rust programming language.

“Notably, despite the fact BlackCat and Alpha have completely different URLs in TOR Network, the scenarios used on their pages are identical, and likely developed by the same actors,” the Resecurity advisory reads.

For context, Rust is considered a versatile programming language, and one that seems to be favored by ransomware-focused TAs in the last few months. For instance, last week, the developers of the Hive ransomware family upgraded the malicious tool by switching its infrastructure from GoLang to Rust.

To mitigate the impact of BlackCat, the Resecurity team said system administrators should review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.

The company also suggested organizations should regularly back up data, air gap, and password-protect backup copies offline.

For a full list of recommendations, you can see the full text of the advisory here.

What’s Hot on Infosecurity Magazine?