BlackCocaine Ransomware, a new malware in the threat landscape

Cyble researchers investigated a recent attack on an India-based IT firm that was hit by the BlackCocaine Ransomware gang.

Recently Cyber researchers for Cyble investigated an attack suffered by on May 30, 2021, by Nucleus Software, an India-based IT company in the Banking and Financial Services sector.

The company reported the security breach to the Bombay Stock Exchange (BSE) and the National Stock Exchange of India (NSEI). Nucleus Software declared that it does not store customers’ financial data.

The Cyble Research team discovered that the company was the victim of the BlackCocaine Ransomware gang.

Like other ransomware gangs, the ransomware gang behind this threat also operates its own site (hxxp://blackcocaine[.]top) that was recently registered for the beginning of the group’s operations.

“Based on the analysis, the Cyble research team found that Nucleus Software is the first victim of the BlackCocaine ransomware group.” reads the post published by Cyble. “The WHOIS information for the domain reveals that the domain of the BlackCocaine ransomware was registered on May 28, 2021”

The researchers reported that a file named a.BlackCocaine was recently submitted to different public sandboxes.

The Ransomware perform file system enumeration while encrypting the victim files, then appends the extension “.BlackCocaine” to the filenames of encrypted files. The researchers reported that ransomware uses the AES and RSA encryption methods.

Once encrypted the file, the ransomware drops ransom notes with the filename
“HOW_TO_RECOVER_FILES.BlackCocaine.txt ” on the victim’s machine.

The BlackCocaine ransomware is written in Go language and complied using the MinGW tool. The payload file is a UPX-packed 64-bit Windows executable file.

The ransomware payload was compiled on May 29, 2021. The ransomware implements multiple anti-VM and anti-debugging techniques.

At the time of this writing, experts have yet to determine the initial infection vector of BlackCocaine.

“BlackCocaine is the latest addition to the group of ransomware and appears to be one of the most sophisticated and active malware strains.” concludes the report. “This ransomware family follows the same model of server-side encryption to lock user documents and demand ransom.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.