During their regular threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) found another instance of BlackMagic ransomware being used to attack the transportation and logistics Industry in Israel.
The gang used prolific ransomware to execute double extortion methods to target victims. It used advanced techniques to encrypt the victim’s data and force them to pay the ransom.
According to the report, the ransomware gang starts its operation by exfiltrating the victim’s data and encrypting it so that the latter cannot access, revoke access, or move the data from a particular data point.
Not to be confused with Australian Blackmagic Design, which provides video editors software like da Vinci Systems, BlackMagic is motivated by a political agenda and seems to be linked to Iran.
The threat group is reportedly targeting companies in Israel and using double extortion methods to steal victim organizations’ data and encrypt it beyond the victim’s control.
For the uninitiated, a double extortion method allows the threat actor to use the traditional ransomware attack and mix it up with aggressive ransom demands.
It starts with the threat actor exploiting a system or network’s vulnerabilities and encrypting the files. In the next stage, the threat actor demands a ransom and threatens the victim to publish the data on the dark web, selling it to the highest bidder via an online auction, and in some cases, deleting the information if the ransom isn’t paid by the deadline.
According to Cyble, the BlackMagic ransomware gang has claimed over ten victims. All the victims on the list are Israeli firms that deal in the nation’s transportation and logistics industry.
Despite using an aggressive strategy to target victims in Israel, the threat actors didn’t leave any ransom notes about cryptocurrency payments. Instead, they pointed toward the social media channels of the victims, threatening to expose the data to the public.
We found that the ransom note used by this gang does not have any crypto address or contact details for ransom payments. Instead, it contains links to social media channels used for advertising the victim’s data,” read the report by CRIL.
The threat actors were previously active in “multiple cybercrime forums to sell the data obtained from these attacks,” the report adds.
According to the data procured by the researchers, the threat actor claims to have stolen 50GB worth of data from its victims in Israel and claimed to have access to the information of 65% of Israeli citizens.
The payload used by the threat actors comes from these two addresses: xxp[:]//5.230.70[.]49/dll/microsoftupdatedefender[.]rar and the microsoftupdatedefender[.]ra and contains a Windows Dynamic link library file called the “MicrosoftUpdate.dll” and another file named “back.bmp.” The file is then transferred to the victim’s systems in the C:\Users\Public\Documents\” path and then executed using the rundll32.exe executable file.
Technical analysis of BlackMagic Ransomware
According to CRIL, the ransomware uses a 64-bit DLL file as its payload, and as mentioned above, it targets the administrator path using the C:\Users\Public\Documents\ and uses a function called the Black.
Once the exploit has been planted, the threat actor uses this “Black” function to execute the further commands that help them encrypt the files.
After the ransomware and its corresponding files are executed in the victim’s system, it moves to evade detection using the Sleep() function. Once that is completely hidden and not detected by default security systems on the victim’s devices, the ransomware begins encrypting the files and folders on the system and kills several processes and security protocols on the system using the “taskkill /f /im <process name>*” command.
Once encrypted, the ransomware uses the reg add command to disable task management and any other application that could be used to stop or remove it from the resources area. It retrieves the victim’s local IP address and sends a GET request to its remote server. This enables the ransomware to log in and install all of the cmdlets, functions, and aliases on the victim’s PC.
On completing this step, the ransomware uses a GetLogicalDriveStringsA() API to find the victim’s drives. Before it completes the cycle, it writes a ransom note called “HackedByBlackMagic.txt” in each folder — a message to the victim about who has entered the files. After that, it uses the Rijndael algorithm from the 128-bit key; it generates ten 128-bit keys, which are kept in 4×4 tables. The plaintext is partitioned into 4×4 tables of 128 bits each. Each 128-bit plaintext element travels through a variable number of rounds. After the tenth round, the code is created.
Once all the files are encrypted, the ransomware renames the extensions as “.BlackMagic” and stores it in a Windows folder inaccessible by the original file owner.
