New BlackCat/ALPHV Ransomware Variant Abuses Impacket and RemCom Tools


August 24, 2023

World map

Microsoft researchers uncovered a new BlackCat/ALPHV ransomware variant that embeds Impacket and RemCom tools for lateral movement and remote code execution.

"The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," The Hacker News reports.

"This BlackCat version also has the RemCom hacktool embedded in the executable for remote code execution. The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment."

Takeaway: BlackCat/ALPHV is arguably the most advanced ransomware threat in the wild, as noted in our report Power Rankings: 2022 Ransomware Malicious Quartile.  

While BlackCat/ALPHV have not conducted the volume of attacks that counterparts like LockBit and more recently Cl0p can boast, they continue to have the most technically advanced RaaS platform offering and are continuing to and new capabilities.

First observed in late 2021, BlackCat/ALPHV employs a well-developed RaaS platform that encrypts by way of an AES algorithm. The code is highly customizable and includes JSON configurations for affiliate customization.  

BlackCat/ALPHV released a new ransomware version called Sphynx with upgraded evasion capabilities. BlackCat/ALPHV can disable security tools and evade analysis and can employ several different encryption routines.

BlackCat/ALPHV was the first ransomware group to use Rust, a secure programming language that offers exceptional performance for concurrent processing. The ransomware deletes all Volume Shadow Copies using the vssadmin.exe utility and wmic to thwart rollback attempts and attains privilege escalation.

BlackCat/ALPHV developers opted for faster over stronger encryption by employing several modes of intermittent encryption and employs a tool called Exmatter for data exfiltration.

BlackCat/ALPHV has a wide variability in targeting, but most often focuses on the financial, manufacturing, legal and professional services industries and exfiltrates victim data prior to the execution of the ransomware – including from cloud-based deployments - to be leveraged in double extortion schemes to compel payment of the ransom demand.

The automation of network discovery to expand the range of addressable targets is also concerning. Automation means ransomware operators hit more victims faster, which translates to more ransoms collected and more fiscal pain for the victim organizations, which is the name of the game for these threat actors. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.