top of page
  • Foto del escritorJavier Conejo del Cerro

CCN–CERT. 2023. Malware Analysis: Black Cat and the AI Act

Actualizado: 11 dic 2023

It was day 3 of the #XVIIJornadasCCNCERT #VJornadasESPDEFCERT and the conference drew to a close with insightful topics that never fail to be present when it comes to the cybersecurity conversation. Topics the likes of ransomware, malware and AI. Basic threats are always there, but we also need to shift our vision to the future.

Miguel Vidal (Innotec Security, part of Accenture) spoke about primary extorsion, and limited distribution in the 1980s, as well as worms in the early 2000s, which caused €10.000 million to be lost. Nowadays, these services are capitalized as a Service“ said Vidal.

Felix del Olmo (Innotec Security, part of Accenture) reminded us that cybercriminal organizations have inched closer towards charging monthly fees, pretty much like a legitimate organization.

The duo reminded us that BlackCat, was responsible for over 200 attacks in 2023, as well as its affiliates, Scattered Spider, UNC4466, DEV-0237 (FIN12), DEV-0504. They also explained the vulnerabilities hackers drew upon the most, as well as the location of the servers.

Miguel Vidal (Innotec Security, part of Accenture): “Going back to the early days of ransomware in the 1980s, primitive ransomware, primary extorsion, and Limited distribution, as well as worms in the early 2000s would embed itself into the system and they would not allow for the machine to start, thus holding the data for ransom.” These two forms of malware would cost administrations alone €10.000 million."

“Nowadays, these services have evolved and are now being profited with the label of Ransomware as a Service“

Felix del Olmo (Innotec Security, part of Accenture) “Ransomware as a Service has taken the shape of different methods these days, such as monthly fees; pretty much like Landline Companies, hackers charge a flat and monthly fee for their malicious services. Member clubs, which cater for earnings to the agent and a commission which encompasses 20% to 30%. One time license use; which is significantes pricier, although the agent does not take part in the earnings of the attack. Finally, when it comes to Pure Participation, the agent does bring home a part of the score, but in this case, there is no upfront fee.”

Black Cat

Miguel Vidal (Innotec Security, part of Accenture): “Black Cat, alias ALPHV or Noberus, was discovered in November 2021 by MalwareHunterTeam. Using techniques such as Ransomware as a Service (RaaS), it became widespread via member clubs, which enable its associates to come by a earnings percentage surrounding 80% to 90% per operation.“

“Furthermore, it is configured as a forefront player, using Rust to type malicious codes and imbuing state of the art blackmail techniques such as double, triple or even quadruple extorsion.”

“It has been a matter of speculation for a while now the existence of a link between BlackCat and Ransomware organizations DarkSide and BlackMatter. The connection was confirmed by former BlackCat members.“

“As a vector for a kickstart attack, this malicious player gravitates toward drawing upon vulnerabilities, although it has also been spotted with highly sofisticated spearphishing in the pipeline. Throughout its history, it has inched towards critical infrastructure such as oil and gas companies, construction and mining firms and finance or IT corporations, among others.”

“It is worth noting that the countries with a focus on BlackCat attacks are the United States, Canada, Germany, Italy and Spain among others.”

Progress and the present Day

“BlackCat has become one of the players highlighting the latest form of blackmail, none other than the quadruple extorsion and it has become of the most aggressive agents in 2023. It has been seminal to spinoffs such as Sphynx, with which it intends escape detection and keep its current address unscathed. It also imbued tools the likes of Impacket and RemCom, streamlining lateral movement and remote execution. Due to its cutting edge innovation, BlackCat stands as the culprit of over 200 successful cyberattacks so far this year.”


Felix del Olmo (Innotec Security, part of Accenture)

Scattered Spider (Oktapus, UNC3944, Muddled Libra or Scatter Swine)

Cybercriminal group, probably connected to the ransomware group BlackCat. Running since may 2022.

Throughout their career, this group of cybercriminals has taken air at several industries such as finance, transportation, communications and hospitalizó, among others. Financial reasons have been identified as the drive for their operations.”

“It usually gains access through stolen credentials, captured via phishing campaigns that were spread through text messages, it even avails of Azure Serial Control to gin access to the main administrative consoles of the virtual machines. In addition, Scattered Spider members have identified to use harmful STONESTOP, BURNTCIGAR and POORTRY codes in their campaigns.”


BlackCat affiliate, in operations since 2023. This cybercriminal organization draws upon CVE 2021 27876, CVE 202127877 and CVE 202127878 of the Veritas Backup software alreacdy existing in Windows servers, in order to gain a breakthrough access to operating systems.

In addition, it has been identifica that, while operating, UNC4466 members availed of harmful codes MimiKatz, LaZagne and Nanodump to steal credentials from users.


Another Ransomware as a Service spinoff. Throughout its run it has used Ryuk, REvil, BlackMatter and Conti and it has aimed at energy, manufacturing, textile and IT industries, among others. Furthermore, DEV0504 has been known to utilize charges such as Mimikatz and Rubeus malicious codes.

DEV0237 (FIN12)

Ransomware as a Service affiliate, throughout its run, it has used Ryuk, Conti, Trickbot, Hive, and tagging along BlackCat since march 2022. Researchers point out that this malicious actor may have started using usable charges stemming from BlackCat due to the publishing of the deciphering agent Hive, so that its operations remained unscathed.

It usually makes its way into the system via stolen credentials and system flaws.


The top vulnerabilities taken advantage of, regarding ransomware that typically preys on a slew of vulnerabilities, such as:

  • Microsoft Word CVE 2023 36884.

  • GoAnywhere MFT from Fortran CVE 2023 0669.

  • MS Exchange CVE 2021 26855, CVE 2021 26857, CVE 2021 26858, CVE 2021 27065.

  • Proxyshell CVE 2021 34473, CVE 2021 34523, CVE 2021 31207.


  • Netherlands 32

  • Lithuania 11

  • Netherlands 18

  • Poland 5

  • Poland 12

  • United States 4

  • Lithuania 10

  • United Kingdom 3


  1. There are liaisons between the, ransomware group BlackCat and its spun off affiliates Scattered Spider, UNC 4466, FIN12 or DEV 0504.

  2. Professionalization. Cybercriminal activities have been professionalized and turned into a business that takes after legitimate businesses from every Industry and sector, through intricate schemes and outsourcing services among groups.

  3. Resilience. They have tailored their ways and attacks throughout their run, evolving from a double to a quadruple extorsion, using the Reas business model and certain approaches of Social Engineering.

  4. Social Engineering. Success in the engineering process vouches for the assertion that the most feeble link in the cybersecurity chain is the user. On the grounds of this, it is feasible to forecast that this method will remain as the powerhouse of all cyberthreats.


Roger Sanz González, and Rodrigo Derlis Bonadeo Fioroni, both from SIA, provide an insight, from a technical standpoint, of the risk management needs that ought to be borne in mind in the lifecycle of AI solutions. Among the topics they covered, are AI Governance, technological soverignty and supply chain risk factors, AI management solutions and need for a agreement according to the EU AI Act. Security from the redesign and default standpoint, safety in the use and management chain. Endorsements for the integration and safe convergence of AI equipped systems. Assessment mecanismos and validation of reliability, sturdiness and auditability.

The duo weighed in on the current situation of Artificial Intelligence implementation and the questions still unanswered.

They addressed different AI security approaches, such as:

  • Legal compliance and ethical principles.

  • Putting together a wholistic broadened framework.

  • Human and human drive functionality.

  • Specific algorithms such as sustenaibility, auditability and accounting.

  • Fast track fostering based upon the manufacturer’s technology.

  • Specific solution adjusting.

Roger Sanz, emphasized the amount of data the governing bodies tackle. “No firm or organization handles as much data as the public administration. Data is the power of public entities.” And that “data handled ranges from race, tastes, biometric data, vender, are, location.” “A public University set of data not only accounts for credit cards and billing addresses, it also encompasses research projects and investigations, which also applies to other bodies, thus making the data delegate an essential figure in the firm.”

“AI is not all about data, but it underpins it.” “An algorithm calls the shots on who gets inspected, and spanish Citizen once inquired to gain access to that algorithm, Spanish courts rejected his appeal.” Should we unquestionably accept the ruling of an algorithm? “The Hague Court rule that this ruling can only be certified as long as that algorithm does is not discriminating, stigmatizing or labeling its criteria. And that can hardly be certified today.”

The current threat factor ladder is componed by several notches in the AI field, according to the EU AI Act.

  • Low risk AI factors include spam filter software and videogames.

  • Mild risk factors spam chatbots, deepfake softwares and emotion recognition.

  • High risk factors range from education and employment, justice, immigration, regulation and a bunch of several others yet to be labeled.

  • Forbidden systems include social credit, behavior tweaking, facial recognition, malicious individual profiling and facial recognition databases (the limits of which are still being discussed).


  1. Directed usability of data and resources inherited with no control, solution architecture, lack of criteria in the availing of resources.

  2. No verification. Lack of practical security warranty.

  3. Need for results. Lack of knowledge, experience and ability to address the safe design safe design for AI solutions, and risas are taken without due identification.

  4. Quick adoption of manufacturers and suppliers. Risk taking in order to obtain a funcional product without the proper adjustment of the security perspectiva from the default design standpoint.

  5. Solutions based on untrustworthy practices. Excessive confidence in the Community.

  6. Attackers “poisining” resources in the long run. Training datasets, hidden functionality codes and “poisoned” repositories.

  7. Attackers aiming at infrastructures and IA services. These harness code vulnerable resources, configuration inheritance and credential trust.

  8. DDoS attacks and excessively straightforward “poisinings” due to shortcomings in the design phase.

  9. Assessment free, massive IA use for monitoring and protection.

  10. Prompt detectives and low key attackers (way too many for DDoS).

  11. Lack of basic credits for the management for AI Ops mínimum security requirements.


  1. Duly addressing the impact and need for usare of the technologies based on ML and AI in the technological ecosystem in order to have a governance practice based on the duly applicable principles.

  2. Identifying the new outlook of emerging threats to information systems and assessing the technological risks to rank risks and non exclusively in the regulatory compliance so the activity is significant.

  3. Drafting a specific AI security and flexible route map, which can be adapted throughout a given period.

  4. Placing the focus of the activity in a safe adoption according to the principles, bare requirements and protective measures to avail of a blueprint that cates for a proper vision of risk and compliance focus.

  5. Duly understanding de way of applying practical safety principles from a design and default perspective according to the AI OPS and ML OPS with a special stress on the technological risk supply chain and safe development (SDLC) of AI / ML apps.

  6. Duly assessing the impact and need for the use of AI technologies in the specific ecosystem to have a gobernance practice based on the applicable principles.

  7. Identifying the new threat landscape for information systems and gauging technological risks, with a multidisciplinary vision of technological risks for risk ranking and not exclusively in the regulational compliance, so the activity can be significant.

  8. Forecasting a specific AI route map that can be adapted throughout a period.

  9. Underscoring the activity of a safe adoption harkening to the principles, requirements and protective measures to avail of a route map that caters for a correct vision of risk spotlight and compliance.

  10. Duly understanding the implementation of practical principles from the design and default AI OPS discipline, as well as ML OPS, paying special mind to the technological risk supply chain and the safe development (SDLC) OF AI and ML applications.

36 visualizaciones0 comentarios

Entradas Recientes

Ver todo


bottom of page