Austria hit by BlackCat Ransomware, which demands $5 Million

Home/Compromised, Data Breach, Forensic Investigation, Internet Security, Ransomware, Targeted Attacks, Tips/Austria hit by BlackCat Ransomware, which demands $5 Million

Austria hit by BlackCat Ransomware, which demands $5 Million

The Austrian Federal State, Carinthia was attacked on Tuesday and Government services were severely disrupted as more workstations were apparently locked by the attacker.

BlackCat, also called as ALPHV, a rebrand of the DarkSide / BlackMatter group, is one of the sophisticated ransomware operations. The ransomware executable is highly customizable, with different encryption methods and options allowing for attacks on a wide range of corporate environments.

The group demands $5 Million to unlock the encrypted systems, which involves most workstations in the Austrian State.

Follow us for more, Facebook, Twitter, LinkedIn and Instagram

Carinthia’s website and email services are currently offline. Thus the administration is unable to issue new passports or traffic fines too. According to the Spokesperson, Gerd Kurath, this could continue for another few days.

 Moreover, the attack had also disrupted the COVID test processing and contact tracing done through the administrative offices.

As no evidence had been spotted that the data breach was a success. None of the usual teaser posts in the group’s dumpsite pose as evidence either. The spokesperson confirmed that there is no intention of paying the ransom.

The Spokesperson further clarified that from the assumedly affected 3000 workstations, the first would be available again by last Friday.

According to BleepingComputer, “FBI published a warning that the BlackCat had breached at least 60 entities worldwide, assuming the status it was anticipated to attain as one of the most active and dangerous ransomware projects out there.”

INDICATORS OF COMPROMISE

PowerShell Scripts

FILE NAME MD5 HASH
amd – Copy.ps1861738dd15eb7fb50568f0e39a69e107
ipscan.ps19f60dd752e7692a2f5c758de4eab3e6f
Run1.ps1 09bc47d7bc5e40d40d9729cec5e39d73

Additional PowerShell Filenames

  • [###].ps1
  • CME.ps1
  • [#].ps1
  • Run1.ps1
  • mim.ps1
  • [##].ps1
  • psexec.ps1
  • Systems.ps1
  • System.ps1

Batch Scripts

FILE NAMEMD5 HASH
CheckVuln.batf5ef5142f044b94ac5010fd883c09aa7
Create-share-RunAsAdmin.bat84e3b5fe3863d25bb72e25b10760e861
LPE-Exploit-RunAsUser.bat    9f2309285e8a8471fce7330fcade8619
RCE-Exploit-RunAsUser.bat6c6c46bdac6713c94debbd454d34efd9
est.bate7ee8ea6fb7530d1d904cdb2d9745899
runav.bat815bb1b0c5f0f35f064c55a1b640fca5

Executables and DLLs

FILE NAMEMD5 HASH
http_x64.exe 6c2874169fdfb30846fe7ffe34635bdb
spider.dll20855475d20d252dda21287264a6d860
spider_32.dll82db4c04f5dcda3bfcd75357adf98228
powershell.dllfcf3a6eeb9f836315954dae03459716d
rpcdump.exe91625f7f5d590534949ebe08cc728380
FILE NAMESHA1 HASH
mimikatz.exed241df7b9d2ec0b8194751cd5ce153e27cc40fa4
run.exe4831c1b113df21360ef68c450b5fca278d08fae2
zakrep_plink.exefce13da5592e9e120777d82d27e06ed2b44918cf
beacon.exe3f85f03d33b9fe25bcfac611182da4ab7f06a442
win1999.exe37178dfaccbc371a04133d26a55127cf4d4382f8
[compromised company].exe1b2a30776df64fbd7299bd588e21573891dcecbe

Additional Observed Filenames

  • test.exe
  • xxx.exe
  • Mim.exe
  • xxxw.exe
  • crackmapexec.exe
  • Services.exe
  • plink.exe
  • Systems.exe
  • PsExec64.exe

BlackCat Ransomware SHA256 Hashes

  • 731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161
  • f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb
  • 731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161
  • 80dd44226f60ba5403745ba9d18490eb8ca12dbc9be0a317dd2b692ec041da28

C2 IPs

89.44.9.243

185.220.102.253

198.144.121.93

23.106.223.97

94.232.41.155

142.234.157.246

37.120.238.58

89.163.252.230

139.60.161.161

45.134.20.66

152.89.247.207

45.153.160.140

146.0.77.15

In recent months, administrations across Europe have been repeatedly attacked with ransomware and other malware. And so, we suggest all the organizations to update their securities and take additional steps towards protecting your data to avoid these kinds of attacks.

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!