Unveiling the Enhanced Sphynx Variant: BlackCat Ransomware Targets Azure Storage with Advanced Features

A new variant of the BlackCat Ransomware, named Sphynx, has recently emerged, showcasing enhanced capabilities tailored for encrypting Azure Storage accounts. Initially identified in March, this iteration of Sphynx received upgrades in May, introducing the Exmatter exfiltration tool.

Subsequent releases in August unveiled additional functionalities, including the ability to override credentials stored in configuration files extracted from compromised systems through new command-line arguments.

In August, Microsoft disclosed the integration of Impacket and Remcom tools in this variant, enabling credential dumping, remote service execution, and the exploitation of compromised credentials for lateral movement and further propagation of ransomware.

Microsoft’s tweet highlighted the embedding of the Remcom hacktool within the executable, facilitating remote code execution, alongside the inclusion of hardcoded compromised credentials for lateral movement and ransomware distribution.

Threat actors exploited Azure Portal access to pilfer Azure keys, encoding them in base64 format and embedding them within the ransomware binary for execution via command line instructions. Using the ‘-o’ argument, they targeted Azure storage accounts, subsequently encrypting 39 unique accounts with ransomware.

During these operations, threat actors leveraged tools like AnyDesk, SplashTop, Atera, and the Chrome browser, coupled with the LastPass vault browser extension, to access and manipulate credentials, including OTPs for Sophos Central account access.

Further investigation revealed that threat actors altered security policies and tampered with protection measures before encrypting systems and Azure Storage accounts using IzBEIHCMxAuKmis6.exe, appending the extension ‘.zk09cvt’.

Notably, the Sphynx variant observed by IBM no longer employs the ‘-access-token’ parameter; instead, it utilizes complex key sets and a revised array of arguments.

Sophos has provided comprehensive insights into the operation, source code, and indicators of compromise associated with this BlackCat variant.

Organizations are strongly advised to implement and uphold necessary precautions and countermeasures to effectively mitigate the risks posed by ransomware attacks. Proactive measures and vigilant defense strategies are pivotal in mitigating the potential devastating impacts of such malicious activities.

Scroll to Top