Microsoft: Blackcat’s Sphynx Ransomware Embeds Impacket, Remcom

Cyber Security Threat Summary:
Microsoft has identified a new variant of the BlackCat ransomware which incorporates the Impacket networking framework and the Remcom hacking tool. These tools facilitate the ransomware’s ability to propagate within a compromised network.

“In April, cybersecurity researcher VX-Underground tweeted about a new BlackCat/ALPHV encryptor version called Sphynx."We are pleased to inform you that testing of basic features ALPHV/BlackCat 2.0: Sphynx is completed," said the BlackCat operators in a message to their affiliates."The code, including encryption, has been completely rewritten from scratch. By default all files are frozen. The main priority of this update was to optimize detection by AV/EDR," further explained the ransomware operations. Soon after, IBM Security X-Force performed a deep dive into the new BlackCat encryptor, warning that the encryptor evolved into a toolkit. This was based on strings in the executable that indicated it contained impacket, used for post-exploitation functions such as remote execution and dumping secrets from processes” (BleepingComputer, 2023).

Microsoft’s Threat Intelligence team has shared a series of posts today, indicating their analysis of the new Spynx version. Their finding revealed that this version utilizes the impacket framework for lateral spreading within compromised networks. Microsoft stated, “We’ve observed a recent use of new BlackCat ransomware version in campaigns. This variant incorporates the impacket framework, an open-source communication tool employed by threat actors to enable lateral movement within targeted environments”. Impacket is defined as an open source set of Python classes designed for interacting with network protocols. Nevertheless, its more frequent application is as a post exploitation toolkit by penetration testers, red teamers and threat actors. This toolkit assists in lateral network propagation, extraction of credentials from processes execution of NTLM relay attacks, and various other functions.

Security Officer Comments:
Microsoft noted the emergence of this latest encryption method utilized by the BlackCat affiliate ‘Storm-0875’ since July 2023. Although the ransomware operation refers to it as ‘Sphynx’ or ‘BlackCat/ALPHV 2.0’ when communicating with affiliates, Microsoft is designating this new version as BlackCat 3.0. The transformation of the BlackCat encryptor from a decryptor to a comprehensive post exploitation toolkit enables ransomware affiliates to swiftly implement network wide file encryption. This shift complicates the timely detection of ransomware attacks, posing additional challenges for defenders who aim to identify such incidents promptly.

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.