Recently Cyber researchers for Cyble investigated an attack suffered by on May 30, 2021, by Nucleus Software, an India-based IT company in the Banking and Financial Services sector.
The company reported the security breach to the Bombay Stock Exchange (BSE) and the National Stock Exchange of India (NSEI). Nucleus Software declared that it does not store customers’ financial data.
The Cyble Research team discovered that the company was the victim of the BlackCocaine Ransomware gang.
Like other ransomware gangs, the ransomware gang behind this threat also operates its own site (hxxp://blackcocaine[.]top) that was recently registered for the beginning of the group’s operations.
“Based on the analysis, the Cyble research team found that Nucleus Software is the first victim of the BlackCocaine ransomware group.” reads the post published by Cyble. “The WHOIS information for the domain reveals that the domain of the BlackCocaine ransomware was registered on May 28, 2021”
The researchers reported that a file named a.BlackCocaine was recently submitted to different public sandboxes.
The Ransomware perform file system enumeration while encrypting the victim files, then appends the extension “.BlackCocaine” to the filenames of encrypted files. The researchers reported that ransomware uses the AES and RSA encryption methods.
Once encrypted the file, the ransomware drops ransom notes with the filename
“HOW_TO_RECOVER_FILES.BlackCocaine.txt ” on the victim’s machine.
The BlackCocaine ransomware is written in Go language and complied using the MinGW tool. The payload file is a UPX-packed 64-bit Windows executable file.
The ransomware payload was compiled on May 29, 2021. The ransomware implements multiple anti-VM and anti-debugging techniques.
At the time of this writing, experts have yet to determine the initial infection vector of BlackCocaine.
“BlackCocaine is the latest addition to the group of ransomware and appears to be one of the most sophisticated and active malware strains.” concludes the report. “This ransomware family follows the same model of server-side encryption to lock user documents and demand ransom.”
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, ransomware)
[adrotate banner=”5″]
[adrotate banner=”13″]