100 Days of YARA – Day 17: BlackCat Ransomware

BlackCat ransomware is a new ransomware strain written in Rust.

This was an interesting one because I was able to find initial samples via data from a screenshot posted to Twitter:

The screenshot with the progress bar stood out to me, because it is a somewhat unique-looking progress bar. I searched my private collection and some of the private collections I have access to with the following rule, which yielded a handful of samples:

rule blackcat_ransomware
{
	meta:
		description = "BlackCat ransomware"

	strings:
		$ = "Speed: "
		$ = ", Data: "
		$ = ", Files processed: "
		$ = ", Files scanned: "

	condition:
		all of them
}

Taking a closer look at the files I was able to collect that matched this rule, I was able to confirm that these were indeed BlackCat ransomware. I confirmed this by comparing what was presented in public research to each of these samples.

Reviewing the strings, the ransom note is present. The ransom notes point to .onion sites likely controlled by the operators of this ransomware. As such, I collected these and made some generic rules which may match additional artifacts related to this group:

rule blackcat_ransomware
{
	meta:
		description = "BlackCat ransomware"
		language = "rust"
		reference = "https://samples.vx-underground.org/samples/Families/BlackCatRansomware/"

	strings:
		$ = "Speed:  Mb/s, Data: Mb/Mb, Files processed: /, Files scanned: "

	condition:
		all of them
}

rule blackcat_ransomware_onion
{
	meta:
		description = ".onion domains associated with BackCat ransomware"

	strings:
		$ = "alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion" ascii wide
		$ = "mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion" ascii wide
		$ = "sty5r4hhb5oihbq2mwevrofdiqbgesi66rvxr5sr573xgvtuvr4cs5yd.onion" ascii wide
		$ = "zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion" ascii wide


	condition:
		any of them
}

rule blackcat_ransomware_public_key
{
	meta:
		description = "BlackCat ransomware public key strings"

	strings:
		$ = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9uYkHzaizNXg/S11ncTTLybkMtqrKW8gg6TyzbGWnRNROl9O+l1VZBLG0xiMt1mZbuStl8Lt3l1vlkMa92kgLjN+UfKmq3KhBEheN2uMmR0WpwV83kceVRmzr5lug4RyQ/xA6/OXK4NptDIT4L6CUTBWMyk2mmY0Cq9HyyrjdnHeAXWAcQGFEac7W4jTjONZqI+lgScPewS+cPFnz1hAD0IAqzj5X2mZVSfFGR3tDoIe42jw5wb6W2yi8zb3mgKrGtTBbw0Ppj0UgKrmdN5iFmfUQHLEzKAakDggLcBtrW1o5+4WMaZOLw8maU5byvjXu3F3i3GdQe8SKTYcVK5OQIDAQAB"
		$ = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApw3tWdMaWJvNf2Mejy5H0Y6kuj+lstNpwFyismGDEYhWKPps9c68xl+84o6uLKfqPzNvLnSxlVa6DitcJGeKJEQkzN+C1e1KsfzM63jHybREB2hs+dHbqBq4dbamIQcTrrr4mKzuHJ7aok4mlpRx2Un1XOJaodoV7xOHO7ui5v6uK39MJ3rvitSEBvv5oI0WDlp3IFmtd6UM6r2nygY1ncAUuasalZgF1Vaz7VXOWyX2ReQHbYWWRCR1qyKMQcBtjT5POXx9B8ek1pnU4p65kGe9M794Bhhh20GN24gY5a+zwXwstaNTO9luwd4xjjRQAVsDgjrjkzti27G11ICn6wIDAQAB"

	condition:
		any of them
}

2 thoughts on “100 Days of YARA – Day 17: BlackCat Ransomware

  1. Pingback: YARA Rules Index – DMFR SECURITY

  2. Pingback: Week 02 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s