The Austrian Federal State, Carinthia was attacked on Tuesday and Government services were severely disrupted as more workstations were apparently locked by the attacker.
BlackCat, also called as ALPHV, a rebrand of the DarkSide / BlackMatter group, is one of the sophisticated ransomware operations. The ransomware executable is highly customizable, with different encryption methods and options allowing for attacks on a wide range of corporate environments.
The group demands $5 Million to unlock the encrypted systems, which involves most workstations in the Austrian State.
Follow us for more, Facebook, Twitter, LinkedIn and Instagram
Carinthia’s website and email services are currently offline. Thus the administration is unable to issue new passports or traffic fines too. According to the Spokesperson, Gerd Kurath, this could continue for another few days.
Moreover, the attack had also disrupted the COVID test processing and contact tracing done through the administrative offices.
As no evidence had been spotted that the data breach was a success. None of the usual teaser posts in the group’s dumpsite pose as evidence either. The spokesperson confirmed that there is no intention of paying the ransom.
The Spokesperson further clarified that from the assumedly affected 3000 workstations, the first would be available again by last Friday.
According to BleepingComputer, “FBI published a warning that the BlackCat had breached at least 60 entities worldwide, assuming the status it was anticipated to attain as one of the most active and dangerous ransomware projects out there.”
INDICATORS OF COMPROMISE
PowerShell Scripts
| FILE NAME | MD5 HASH |
| amd – Copy.ps1 | 861738dd15eb7fb50568f0e39a69e107 |
| ipscan.ps1 | 9f60dd752e7692a2f5c758de4eab3e6f |
| Run1.ps1 | 09bc47d7bc5e40d40d9729cec5e39d73 |
Additional PowerShell Filenames
- [###].ps1
- CME.ps1
- [#].ps1
- Run1.ps1
- mim.ps1
- [##].ps1
- psexec.ps1
- Systems.ps1
- System.ps1
Batch Scripts
| FILE NAME | MD5 HASH |
| CheckVuln.bat | f5ef5142f044b94ac5010fd883c09aa7 |
| Create-share-RunAsAdmin.bat | 84e3b5fe3863d25bb72e25b10760e861 |
| LPE-Exploit-RunAsUser.bat | 9f2309285e8a8471fce7330fcade8619 |
| RCE-Exploit-RunAsUser.bat | 6c6c46bdac6713c94debbd454d34efd9 |
| est.bat | e7ee8ea6fb7530d1d904cdb2d9745899 |
| runav.bat | 815bb1b0c5f0f35f064c55a1b640fca5 |
Executables and DLLs
| FILE NAME | MD5 HASH |
| http_x64.exe | 6c2874169fdfb30846fe7ffe34635bdb |
| spider.dll | 20855475d20d252dda21287264a6d860 |
| spider_32.dll | 82db4c04f5dcda3bfcd75357adf98228 |
| powershell.dll | fcf3a6eeb9f836315954dae03459716d |
| rpcdump.exe | 91625f7f5d590534949ebe08cc728380 |
| FILE NAME | SHA1 HASH |
| mimikatz.exe | d241df7b9d2ec0b8194751cd5ce153e27cc40fa4 |
| run.exe | 4831c1b113df21360ef68c450b5fca278d08fae2 |
| zakrep_plink.exe | fce13da5592e9e120777d82d27e06ed2b44918cf |
| beacon.exe | 3f85f03d33b9fe25bcfac611182da4ab7f06a442 |
| win1999.exe | 37178dfaccbc371a04133d26a55127cf4d4382f8 |
| [compromised company].exe | 1b2a30776df64fbd7299bd588e21573891dcecbe |
Additional Observed Filenames
- test.exe
- xxx.exe
- Mim.exe
- xxxw.exe
- crackmapexec.exe
- Services.exe
- plink.exe
- Systems.exe
- PsExec64.exe
BlackCat Ransomware SHA256 Hashes
- 731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161
- f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb
- 731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161
- 80dd44226f60ba5403745ba9d18490eb8ca12dbc9be0a317dd2b692ec041da28
C2 IPs
89.44.9.243
185.220.102.253
198.144.121.93
23.106.223.97
94.232.41.155
142.234.157.246
37.120.238.58
89.163.252.230
139.60.161.161
45.134.20.66
152.89.247.207
45.153.160.140
146.0.77.15
In recent months, administrations across Europe have been repeatedly attacked with ransomware and other malware. And so, we suggest all the organizations to update their securities and take additional steps towards protecting your data to avoid these kinds of attacks.
Leave A Comment