Thursday 29 September 2022, 15:00 - 15:30
Aleksandar Milenkoski (Cybereason)
Time is critical for ransomware operators – the faster they encrypt the victim's files, the less likely they are to be detected in the process. Encryption can be a time-consuming process, and ransomware developers know this. That is why they get creative when programming encryption routines – the goal is to minimize the time spent on encryption and maximize the amount of encrypted file content. In this way, the greatest possible irretrievable damage is done in the shortest possible time.
BlackCat is a new and very high-profile player in the current ransomware scene. The ALPHV threat group, which is behind the ransomware, provides the malware to affiliates in exchange for a share in the ransom payments.
The way BlackCat performs encryption is highly customizable and ALPHV uses this as an advertising tool to attract affiliates. BlackCat operators can choose between six encryption modes and two encryption algorithms. Ransomware operators can further configure each encryption mode with mode-specific settings. Each encryption mode and algorithm occupies a specific position on the trade-off scale between encryption speed and completeness.
We reverse-engineered the BlackCat ransomware to provide a first look into the inner workings of the encryption modes that BlackCat implements. Our analysis provides a unique insight into the design decisions that ransomware developers make to achieve an optimal balance between encryption speed and encryption completeness.
This work also tests the encryption modes and encryption algorithms that BlackCat implements. We conducted a series of experiments to measure in numbers the trade-off between encryption speed and completeness that the different modes achieve. We examine metrics such as encryption speed, time spent on encryption, and amount of file content encrypted. For example, we observed differences in the time spent encrypting a file in the order of minutes for different ransomware configuration points. Our measurements provide a hard look at the numbers – they show how much response time is available once a carefully configured BlackCat has started encrypting files.
Aleksandar Milenkoski is a senior threat and malware analyst at Cybereason. He is involved primarily in reverse engineering and threat research activities. Aleksandar has a Ph.D. in system security. For his research activities, he has been awarded by SPEC (Standard Performance Evaluation Corporation), the Bavarian Foundation for Science, and the University of Würzburg, Germany. Prior to Cybereason, his work focused on research in intrusion detection and reverse engineering security mechanisms of the Windows operating system.