BlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims

BlackCat (aka AlphaVM, AlphaV) is a newly established RaaS (Ransomware as a Service) with payloads written in Rust. While BlackCat is not the first ransomware written in the Rust language, it joins a small (yet growing) sliver of the malware landscape making use of this popular cross-platform language.

First appearing in late November, BlackCat has reportedly been attacking targets in multiple countries, including Australia, India and the U.S, and demanding ransoms in the region of $400,000 to $3,000,000 in Bitcoin or Monero.

BlackCat Ransomware Overview

In order to attract affiliates, the authors behind BlackCat have been heavily marketing their services in well-known underground forums.

BlackCat operators maintain a victim blog as is standard these days. The blog hosts company names and any data leaked in the event that the victims do not agree to cooperate.

Current data indicates primary delivery of BlackCat is via 3rd party framework/toolset (e.g., Cobalt Strike) or via exposed (and vulnerable) applications. BlackCat currently supports both Windows and Linux operating systems.

BlackCat Configuration Options

Samples analyzed (to date ) require an “access token” to be supplied as a parameter upon execution. This is similar to threats like Egregor, and is often used as an anti-analysis tactic. This ‘feature’ exists in both the Windows and Linux versions of BlackCat.

However, the BlackCat samples we analyzed could be launched with any string supplied as the access token. For example:

Malware.exe -v --access-token 12345

The ransomware supports a visible command set, which can be obtained via the -h or --help parameters.

BlackCat command line options

As seen above, the executable payloads support a variety of commands, many of which are VMware-centric.

 --no-prop                                  Do not self propagate(worm) on Windows
 --no-prop-servers <NO_PROP_SERVERS>        Do not propagate to defined servers
 --no-vm-kill                               Do not stop VMs on ESXi
 --no-vm-snapshot-kill                      Do not wipe VMs snapshots on ESXi
 --no-wall                                  Do not update desktop wallpaper on Windows

In verbose mode (-v) the following output can be observed upon launch of the BlackCat payloads:

BlackCat ransomware run in verbose mode

BlackCat Execution and Encryption Behaviour

Immediately upon launch, the malware will attempt to validate the existence of the previously mentioned access-token, followed by querying for the system UUID (wmic).

Those pieces of data are concatenated together into what becomes the ‘Access key’ portion of their recovery URL displayed in the ransom note. In addition, on Windows devices, BlackCat attempts to delete VSS (Volume Shadow Copies) as well as enumerate any accessible drives to search for and encrypt eligible files.

Other configuration parameters are evaluated before proceeding to execute multiple privilege escalation methods, based on the OS identified by wmic earlier. These methods are visible at the time of execution and include the use of the Com Elevation Moniker.

It is at this point that BlackCat will attempt to terminate any processes or services listed within the configuration such as any processes which may inhibit the encryption process. There are also specific files and directories that are excluded from encryption. Much of this is configurable at the time of building the ransomware payloads.

The targeted processes and services are noted in the kill_processes and kill_services sections respectively. File and folder exclusions are handled in the exclude directory_names section.

To further illustrate, the following were extracted from sample ​d65a131fb2bd6d80d69fe7415dc1d1fd89290394/​74464797c5d2df81db2e06f86497b2127fda6766956f1b67b0dcea9570d8b683:


backup memtas mepocs msexchange
sql svc$ veeam vss


agntsvc dbeng50 dbsnmp encsvc
excel firefox infopath isqlplussvc
msaccess mspub mydesktopqos mydesktopservice
notepad ocautoupds ocomm ocssd
onenote oracle outlook powerpnt
sqbcoreservice sql steam synctime
tbirdconfig thebat thunderbird visio
winword wordpad xfssvccon


$recycle.bin $windows.~bt $windows.~ws 386
adv all users ani appdata
application data autorun.inf bat bin
boot boot.ini bootfont.bin bootsect.bak
cab cmd com config.msi
cpl cur default deskthemepack
diagcab diagcfg diagpkg dll
drv exclude_file_extensions:[themepack exclude_file_names:[desktop.ini exe
google hlp hta icl
icns ico iconcache.db ics
idx intel key ldf
lnk lock mod mozilla
mpa msc msi msocache
msp msstyles msu] nls
nomedia ntldr ntuser.dat ntuser.dat.log]
ntuser.ini ocx pdb perflogs
prf program files program files (x86) programdata
ps1 public rom rtp
scr shs spl sys
system volume information theme thumbs.db tor browser
windows windows.old] wpx

BlackCat also spawns a number of its own processes, with syntax (for Windows) as follows:

 WMIC.exe (CLI interpreter)   csproduct get UUID
 cmd.exe (CLI interpreter)   /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
 cmd.exe (CLI interpreter)   /c "wmic csproduct get UUID"
 cmd.exe (fsutil.exe)        /c "fsutil behavior set SymlinkEvaluation R2L:1"
 fsutil.exe                  behavior set SymlinkEvaluation R2L:1
 cmd.exe (fsutil.exe)        /c "fsutil behavior set SymlinkEvaluation R2R:1"

The fsutil-based modifications are meant to allow for use of both remote and local symlinks. BlackCat enables ‘remote to local’ and ‘remote to remote’ capability.

 fsutil.exe                     behavior set SymlinkEvaluation R2R:1
 cmd.exe (vssadmin.exe)         /c "vssadmin.exe delete shadows /all /quiet"
 reg.exe (CLI interpreter)      add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f

 cmd.exe (worldwideStrata.exe)  /c "C:\Users\admin1\Desktop\worldwideStrata.exe" --child
 vssadmin.exe                   delete shadows /all /quietcmd.exe (ARP.EXE) /c "arp -a"

Some more recently-built copies have a few additions. For example, in sample c1187fe0eaddee995773d6c66bcb558536e9b62c/c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40 we see the addition of:

 wmic.exe Shadowcopy Delete"
 "iisreset.exe /stop"
 bcdedit.exe /set {default} recoveryenabled No

Much like other fine details, all this can be adjusted or configured by the affiliates at the time of building the payloads.

BlackCat configurations are not necessarily tailored to the target operating system. In the Linux variants we have analyzed to date, there are Windows-specific process, service, and file references in the kill_processes, kill_services, and exclude_directory_names.

The following excerpt is from sample f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6.

Linux variant configuration

Specific encryption logic is not necessarily novel either and is somewhat configurable by the affiliate at the time of building the ransomware payloads. BlackCat supports both ChaCha20 and AES encryption schemes.

Extensions on encrypted files can vary across samples. Examples observed include .dkrpx75, .kh1ftzx and .wpzlbji.

BlackCat ransomware execution chain (Windows version)

Post-Infection, Payment and Portal

Infected clients will be greeted with a ransom note as well as a modified desktop image.

BlackCat’s modified desktop image

Infected uses are instructed to connect to the attackers’ payment portal via TOR.

BlackCat ransom note

The ransom note informs the victim that not only have files been encrypted but data has been stolen.

Victim’s are threatened with data leakage if they refuse to pay and provided with a list of data types that have been stolen.

In theory, once victims connect to the attacker’s portal, they are able to communicate and potentially acquire a decryption tool. Everything on the BlackCat portal is tied back to the specific target ID, which must be supplied correctly from the URL in the ransom note.


In its relatively short time on the radar, BlackCat has carved a notable place for itself amongst mid-tier ransomware actors. This group knows their craft and are cautious when selecting partners or affiliates. It is possible that some of the increased affiliation and activity around BlackCat is attributed to other actors migrating to BlackCat as larger platforms fizzle out (Ryuk, Conti, LockBit and REvil).

Actors utilizing BlackCat know their targets well and make every attempt to stealthily compromise enterprises. Prevention by way of powerful, modern, endpoint security controls are a must. The SentinelOne Singularity Platform is capable of detecting and preventing BlackCat infections on both Windows and Linux endpoints.

Indicators of Compromise



T1027.002 – Obfuscated Files or Information: Software Packing
T1027 – Obfuscated Files or Information
T1007 – System Service Discovery
T1059 – Command and Scripting Interpreter
TA0010 – Exfiltration
T1082 – System Information Discovery
T1490 – Inhibit System Recovery
T1485 – Data Destruction
T1078 – Valid Accounts
T1486 – Data Encrypted For Impact
T1140 – Encode/Decode Files or Information
T1202 – Indirect Command Execution
T1543.003 – Create or Modify System Process: Windows Service
T1550.002 – Use Alternate Authentication Material: Pass the Hash