National Cyber Warfare Foundation (NCWF) Forums


Exploring the (Not So) Secret Code of Black Hunt Ransomware


0 user ratings
2024-02-05 19:50:06
milo
Red Team (CNA)

 - archive -- 
In this analysis we examined the BlackHunt sample shared on X (formerly Twitter). During our analysis we found notable similarities between BlackHunt ransomware and LockBit, which suggested that it uses leaked code of Lockbit. In addition, it uses some techniques similar to REvil ransomware.

Exploring the (Not So) Secret Code of Black Hunt Ransomware

It seems like every week, the cybersecurity landscape sees the emergence of yet another ransomware variant, with Black Hunt being one of the latest additions. Initially reported by cybersecurity researchers in 2022, this new threat has quickly made its presence known. In a recent incident, Black Hunt ransomware wreaked havoc by compromising around 300 companies in Paraguay.

Rapid7 Labs consistently monitors emerging threats, and this new ransomware variant caught our attention for several reasons. The behavior and potential impact of this new variant raised concerns among our team, prompting us to conduct a thorough analysis to better understand its capabilities and potential risks.

During our analysis we found notable similarities between Black Hunt ransomware and LockBit, which suggested that it uses leaked code of Lockbit. In addition, it uses some techniques similar to REvil ransomware.

Technical Analysis

In this analysis we examined the Black Hunt sample shared on X (formerly Twitter), by MalwareHunterTeam. In our investigation we found some interesting techniques and features used by this malware. The recent Black Hunt sample is a C++ executable, which widely reuses the leaked Lockbit ransomware code and shares similarities with several other recently spotted ransomware families.The execution of the ransomware on an infected machine starts with a check for a file named Vaccine.txt under directory C:\ProgramData path

Exploring the (Not So) Secret Code of Black Hunt Ransomware
Figure 1 - Check for the existence of Vaccine.txt file

If the file is found, malware terminates its execution. This file detection acts as an anti-exploitation flag for the ransomware. As this is not a well-known anti-sandbox/anti-VM technique, we assume that this file is in use by the threat actor (TA) itself. It is either created by the victim which is instructed to create it after the ransom is paid or dropped by the decryptor, if one is sent to the victim to decrypt the encrypted data. Adding that check is logical if the ransomware operators consider scenarios where their persistence mechanism and the ransomware binary remain on the system even after the ransom is paid and files are decrypted. Moreover, the fact that all files dropped by the ransomware are placed in the C:\ProgramData  directory further supports our assessment that this file is associated with the Black Hunt operation.

Next, the malware adjusts the following privileges to processes Access Token by using the `AdjustTokenPrivileges` API function:






































Privilege SettingDescription
SeDebugPrivilegeMonitor and manipulate other processes.
SeRestorePrivilegeBypass file system security to restore files.
SeBackupPrivilegeRead any file, regardless of permissions.
SeTakeOwnershipPrivilegeTake control of critical system resources.
SeAuditPrivilegeManipulate security audit logs.
SeSecurityPrivilegeModify security settings of objects.
SeIncreaseBasePriorityPrivilegeGives service privilege to increase scheduling priority.

After modifying process privileges, the malware hides its window by invoking the `ShowWindow` function with the `nCmdShow` parameter set to 0, which corresponds to `SW_HIDE`. This action ensures that the malware's window is not visible to the user, allowing it to operate stealthily in the background without drawing attention.

Exploring the (Not So) Secret Code of Black Hunt Ransomware
Figure 3 - Malware hiding its present from the user

The execution flow continues as the malware invokes the `GetCommandLineW` function. This function retrieves the command-line string for the current process, including the program name and any arguments passed during startup. This function is commonly used by malware and helps to gather information about command-line flags. Following this, another function call is made to `CMD_ARGS`.

Exploring the (Not So) Secret Code of Black Hunt Ransomware
Figure 4

The function processes a command-line string and checks if any of the following arguments were passed:






























































ArgumentDescription
-localIf passed, the ransomware will skip shared or network drives encryption.
-networkIf passed, the ransomware will encrypt only the network drives
-biggameIf passed, the ransomware will only encrypt the files that contain .4dd, .4dl, .accdb, .accdc, .accde, .accdr, .accdt, .accft, .adb, .ade, .adf, .adp, .arc, .ora, .alf, .ask, .btr, .bdf, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad, .dadiagrams, .daschema, .db, .db-shm, .db-wal, .db3, .dbc, .dbf, .dbs, .dbt ,.dbv, .dbx, .dcb, .dct, .dcx, .ddl ,.dlis, .dp1 ,.dqy, .dsk, .dsn, .dtsx, .dxl, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmpsl, .fol, .fp3, .fp4, .fp5, .fp7, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .ib, .idb, .ihx, .itdb, .itw, .jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc, .lwx, .maf, .maq, .mar, .mas, .mav, .mdb, .mdf, .mpd, .mrg, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib, .ns2, .ns3, .ns4, .nsf, .nv, .nv2, .nwdb, .nyf, .odb, .oqy, .orx, .owc, .p96, .p97, .pan, .pdb, .pdm, .pnz, .qry, .qvd, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sql, .sqlite, .sqlite3, .sqlitedb, .te, .temx, .tmd, .tps, .trc, .trm, .udb, .udl, .usr, .v12, .vis, .vpd, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld, .xmlff, .abcddb, .abs, .abx, .accdw, .adn, .db2, .fm5, .hjt, .icg, .icr, .kdb, .lut, .maw, .mdn, .mdt extensions.
-backupIf passed, the ransomware will only encrypt the files with .000, .cab, .zip and .rar extensions.
-noencryptif passed, the malware will skip encryption.
-pIf passed, specifies a path to be encrypted
-nologsIf passed - If the flag is not set, the ransomware creates a log file named #BlackHunt_Logs.txt under C:\ProgramData directory. Otherwise no log files will be created.
-statusIf passed, sets the ransomware console windows to ‘SW_SHOW’ and shows the encryption status in the ransomware console window. The status information contains the System ID, running time, the amount of encrypted files and encrypted volume, as well as errors, alive workers and the code location. The status window constantly updated by the ransomware as long as it runs
-updateIf passed, the ransomware shows a fake Window Update screen
-killIf passed, the ransomware terminates processes from hardcoded process list and stops services from hardcoded service list
-scannerIf passed, the ransomware scans for network shares
-cipherIf passed, when all the encryption process is completed the ransomware uses Windows tool Cipher.exe on all drives to overwrite the deleted data. Same capability was utilized by Vohuk ransomware.
-restartif set in the end of encryption the following command will be executed to restart the pc ‘shutdown /r /t 15 /f’

The ransomware accepts additional arguments that modify its behavior, including disabling spreading capabilities, adjusting encryption speed, thread count for encryption, skipping mutex creation, and enabling debug mode to collect more information in the log file.

After verifying passed arguments and ensuring the absence of the -nomutex flag, the ransomware proceeds to create a `BLACK_HUNT_MUTEX`. Next, it elevates its process priority to `HIGH_PRIORITY_CLASS` using the `SetPriorityClass` API function.

The ransomware made 200 attempts to load `Fake.dll`, likely as a tactic to slow up/evade the execution in the sandbox. Following this, it employs the `IsDebuggerPresent` API call to detect if debugging is in progress. If a debugger is detected, the ransomware terminates.

Further analysis revealed that Black Hunt maintains a whitelist of 15 countries, as detailed in the table below.






















































































Language CodeLanguageCountry
2092Azeri (Cyrillic)Azerbaijan
1068Azeri (Latin)Azerbaijan
1067ArmenianArmenia
1059BelarusianBelarus
1079GeorgianGeorgia
1071MacedonianNorth Macedonia
1088KyrgyzKyrgyzstan
2073MoldovanMoldova (Russian language)
1064Tajik (Cyrillic)Tajikistan
1090TurkmenTurkmenistan
2115Uzbek (Cyrillic)Uzbekistan
1091Uzbek (Latin)Uzbekistan
1058UkrainianUkraine
1065PersianIran
1055TurkishTurkey

The malware uses the `GetSystemDefaultUILanguage` function to identify one of 15 hardcoded languages. If it detects any of these languages, it terminates execution.

Exploring the (Not So) Secret Code of Black Hunt Ransomware
Figure 5 - Hardcoded list of languages

Following language detection, the malware attempts to establish an internet connection by calling the `getaddrinfo` function to resolve the domain ip-api.com.

The ransomware checks if `BlackKeys` mutex exists, and if not, it creates it by using `CreateMutexA` API.

Next,the malware begins a key initialization process. First, it attempts to load a key by using `CryptImportKey` with a buffer containing the key. It looks for the key in files named C:\ProgramData\#BlackHunt_Public.key and C:\ProgramData\#BlackHunt_Private.key, and also verifies the presence of C:\ProgramData\#BlackHunt_ID.txt. If the key loading fails, the malware switches to generating a 128-bit RSA key pair.

After initializing encryption keys, the ransomware creates a HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2 registry key to define settings for files with `.Hunt2` extension.It adds a `DefaultIcon` registry key under `.Hunt2` and assigns a default value to the dropped icon file.

Next, the ransomware creates a new {2C5F9FCC-F266-43F6-838DAE269E11} value under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key and sets it data to C:\ProgramData\#BlackHunt_ReadMe.hta that will make the `.hta` file be executed on reboot.This file is a Black Hunt ransom note. Here we can notice additional proof of reuse of Lockbit ransomware code by BlackHunt operators, the value name is identical to the one LockBit 2.0 used in their attacks.

The Black Hunt ransomware makes several modifications to the Windows registry to disable security measures, alter system functionality, and potentially limit user control over the system. Below are the commands used


































CommandAction
/c reg add "HKEY_LOCAL_MACHINE\Software\Classes.Hunt2" /f"Adds a registry key .Hunt2 under HKEY_LOCAL_MACHINE\Software\Classes\
/c reg add "HKEY_LOCAL_MACHINE\Software\Classes.Hunt2\DefaultIcon" /ve /t REG_SZ /d
"C:\ProgramData#BlackHunt_Icon.ico" /f");
Sets the default icon for .Hunt2 files to C:\ProgramData#BlackHunt_Icon.ico
/c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f");Adds a registry key Hunt2 under HKEY_LOCAL_MACHINE\Software\Classes\
/c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /vAdds an entry to the Windows startup registry key to run C:\ProgramData#BlackHunt_ReadMe.hta
/c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
/v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}"
/t REG_SZ /d "C:\ProgramData#BlackHunt_ReadMe.hta" /f");
Adds an entry to the Windows startup registry key to run C:\ProgramData#BlackHunt_ReadMe.hta
SHChangeNotify(0x8000000, 0, 0, 0);Notifies the system of changes that might require refreshing icons or interface elements

The list of modified registries can be found in the IOC section or on the Rapid7 Labs GitHub page.

Afterward, the malware checks for various command-line arguments, and its execution flow depends on which arguments are set.

`-p` flag

If set, it proceeds to sets persistence by creating scheduled tasks to execute the malware upon system startup using the command /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "%s" /F.

`-safemode` flag

If it is, the malware configures the safe mode setting to ensure its execution after the system boots in safe mode, after which it restarts the machine. For more information on that technique check the Safe Mode section of this article.

If the `-safemode` flag is not set, the malware creates ransom note, primary and secondary contact emails `[email protected]` and `[email protected]`, respectively, a placeholder ID for infected machines, and the Tor address http[:]//sdif9821kjsdvcjlksaf2kjhlksvvnktyoiasuc921f.

`-update`  flag

If set, the malware drops `#BlackHunt_Update.hta` to the C:\ProgramData directory and executes it. The purpose of that flag is to create a fake Windows Update screen while encrypting the victim's data. After that, the malware empties the recycle bin by calling `SHEmptyRecycleBinW`.

`-kill` flag

If set, the malware enumerates running processes and terminates 130 predefined processes and services. The full list of processes and services can be found in the IOC section or on the Rapid7 Labs GitHub page.

After completing its service termination routine, the malware tries to access the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, known for storing system policies such as User Account Control (UAC) settings. If successful, it modifies two registry values: `EnableLUA` and `EnableLinkedConnections`.

Exploring the (Not So) Secret Code of Black Hunt Ransomware
Figure 6-UAC settings modification

By setting`EnableLUA` to 0, the malware effectively disables this security feature, granting itself elevated privileges without user intervention. Additionally, the malware sets the `EnableLinkedConnections` registry key, allowing any user to see network drives that were mapped for other users. This gives ransomware the ability to gain access to sensitive network resources.The malware invokes the `RefreshPolicyEx` API function to enforce the modifications made.

Next, the malware manipulates shadow storage. For conventional disk types, such as DRIVE_FIXED, it executes commands like /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB. For disk types not explicitly specified, such as DRIVE_RAMDISK, it uses /c vssadmin resize shadowstorage /for=C:\ /on=C:\

Afterwards , the malware removes the shadow copies using vssadmin.exe Delete Shadows /all /quiet and disables automatic repair by executing bcdedit /set {default} recoveryenabled No.

Exploring the (Not So) Secret Code of Black Hunt Ransomware
Figure 7- Shadow storage manipulation

Next, the attackers execute a sequence of commands to clean up the system and implement critical modifications.


























CommandDescription
bcdedit /set {default} bootstatuspolicy IgnoreAllFailuresAdjusts boot status policy for normal booting despite failures, blocking access to System Image Recovery
fsutil.exe usn deletejournal /disks (D and C)Deletes Volume USN Journal on disks D and C, disrupting file system change tracking
wbadmin.exe delete catalog -quietSilently removes backup catalogs, erasing backup data
Disables System Restore tasks with scHalts System Restore functionality, limiting recovery options

If the  `-scanner` flag is set the ransomware will attempt to retrieve the ARP cache table and scan the addresses using the servername as a parameter. This function utilizes `NetShareEnum` to gather information about network shares on a given server.

Finally,  the encryption routine starts. Encrypted files renamed with  `.Hunt2` extension. After the encryption, the ransomware deletes itself, and the ransom note is displayed to the user.

Exploring the (Not So) Secret Code of Black Hunt Ransomware
Figure 8 - Black Hunt ransomware note

Additional functionality

Spreading mechanism

Ransomware tries to enumerate shares on the localhost (127.0.0.1) using  `NetShareEnum`. If shares are found and no error occurs, the malware tries to process  drive paths. It checks each path for specific conditions met and that the path is not a remote path. If these conditions are met, it processes the argument as a local drive path by extracting the drive letter and formatting it as \127.0.0.1{drive_letter}.

The malware attempts to locate a NAS server and paths to files on removable drives. Additionally, it searches for shared folders and attempts to spread by enumerating local shared folders using `NetShareEnum`. If a network share is found, it copies itself to the share using `CopyFileW`. After spreading, it clears setup event logs by executing cmd /c wevtutil.exe.

Safe mode

If the `-safemode` argument is set, the malware executes the encryption process in Safe Mode. To ensure execution after rebooting in Safe Mode, the malware sets up the system as follows:

1) Obtains a user environment variable.

2) Executes the net user username `Black_Hunt_2.0` command to set a new user password.

3) Adds a new `AutoAdminLog` value under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and sets it to 1, enabling auto login in Windows.

4) Creates a `DefaultUserName` value under the same registry key and sets it.

5) Creates a `DefaultPassword` registry value and sets it to the changed password.

6) Executes the /c bootcfg /raw /a /safeboot:network /id 1 and /c bcdedit /set {current} safeboot network commands to force the computer to boot into Safe Mode with Networking.

7) Creates a new`BackToNormal` value under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce and sets it to bcdedit /deletevalue {current} safeboot" /f.

8) Sets an additional value under the `RunOnce` key named `BlackHunt` and sets it to the current malware running path.

9) Finally, restarts the system by executing shutdown /r /t 7 /f

Rapid7 Customers

For Rapid7 MDR and InsightIDR customers, the following Attacker Behavior Analytics (ABA) rules are currently deployed and alerting on the activity described in this blog:

  • Suspicious Process - Delete File Shadow Copies With PowerShell
  • Attacker Technique - Rundll32 Running DLL in Root of ProgramData
  • Suspicious Process - Regsvr32.exe Registering DLL in ProgramData
  • Persistence - Run Key Added by Reg.exe
  • Suspicious Registry Event - Unusual Registry Run Keys
  • Attacker Technique - Disabling UAC Remote Restrictions
  • Suspicious Registry Edit - Shell\Open\Command Edited, Possible UAC Bypass
  • Attacker Technique - Reg.exe disabling the User Access Control (UAC) remote restriction
  • Suspicious Process - Possible UAC Bypass via MMC.exe
  • Attacker Technique - Svchost.exe Spawns cmd.exe Executing Scheduled Task
  • Persistence - SchTasks Creating A Task Pointed At Users Temp Or Roaming Directory
  • Ransomware - LockBit Command-Line Arguments
  • Suspicious Process - VSSADMIN List and Create Shadow Commands (MVD detection)
  • Suspicious Registry Event - BCDEDIT Safeboot Minimal
  • UAC Bypass - Notepad Launching CMD or PowerShell
  • Defense Evasion - Disabling Multiple Security or Backup Products (MVD detection)
  • Suspicious Process - Diskshadow (Windows Server) Delete Shadow Copies

MITRE ATT&CK Techniques

|
















































































































TacticTechnique**Details
ExecutionNative API (T1106)The ransomware may execute its malicious activities by interacting with system APIs.
PersistenceScheduled Task/Job: Scheduled Task (T1053.005 )Black Hunt sets persistence by creating scheduled tasks to execute the malware upon system startup using the command
PersistenceBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)Modifies the Windows Registry to establish persistence, ensuring it runs automatically upon system startup.
Privilege EscalationAbuse Elevation Control Mechanism: Bypass User Account Control (T1548.002 )Black Hunt grants itself elevated privileges without user intervention by modifying registry values: EnableLUA and EnableLinkedConnections.
Defense Evasion, Privilege EscalationAccess Token Manipulation (T1134)Black Hunt manipulate access tokens, granting itself privileges to perform various actions on the system
Defense EvasionModify Registry (T1112)Modifies registry keys to disable security features, alter system configurations, and establish persistence.
Defense EvasionImpair Defenses: Disable or Modify Tools (T1562.001)Black Hunt disables security tools to avoid possible detection of their malware/tools and activities
Defense EvasionFile Deletion ( T1070.004 )Black Hunt empties the Windows Recycle Bin to permanently delete files and prevent recovery attempts.
Defense EvasionIndicator Removal on Host: Clear Windows Event Logs (T1070.001)The ransomware clears Windows Event Logs to erase evidence.
Defense EvasionImpair Defenses: Safe Mode Boot (T1562.009)Black Hunt disable endpoint defenses
Defense EvasionHide Artifacts: Hidden Window (T1564.003)Black Hunt uses a hidden window to conceal malicious activity from the plain sight of users.
DiscoveryNetwork Service Discovery (T1046)Black Hunt lists services running on the local network
DiscoverySystem Location Discovery: System Language Discovery (T1614.001)Black Hunt gather information about the system language of a host in order to infer the geographical location of that host
DiscoveryNetwork Share Discovery (T1135)Black Hunt enumerates shared network drives and folders to access other systems
DiscoveryFile and Directory Discovery (T1083)Black Hunt enumerates files and directories to identify whether certain objects should be encrypted
DiscoveryProcess Discovery (T1057)Black Hunt performs process discovery/enumeration to terminate processes that could interfere with the encryption process.
ImpactInhibit System Recovery (T1490)Deletes backups, volume shadow copies, and disables automatic repair and recovery features.
ImpactData Encrypted for Impact (T1486)Black Hunt is capable for encrypting victim’s files
ImpactService Stop (T1489)Stops certain services, such as those related to backup, security software, and others

IOCs


































































AttributeValueDescription
mutexBLACK_HUNTMutex used by the ransomware
mutexBaseNamedObjects\BlackKeysMutex used by the ransomware
sha256C25F7B30D224D999CE337A13224C1CDE9FFB3F415D7113548DE9914A1BB3F123#BlackHunt_Update.hta file
primary emailTeikobest@gmail dot comPrimary contact email for ransom
secondary emailLoxoclash@gmail dot comSecondary contact email for ransom
Tor addresshttp[://]sdif9821kjsdvcjlksaf2kjhlksvvnktyoiasuc921f
sha25674df3452a6b9dcdba658af7a9cf5afb09cce51534f9bc63079827bf73075243bBlack Hunt ransomware
sha25635619594724871138875db462eda6cf24f2a462e1f812ff27d79131576cd73abBlack Hunt ransomware
sha25632877793a1e0d72235e9e785e1f55592c32c9f08b73729815b8103b09a54065fBlack Hunt ransomware
sha2567eea62dcae4e2e5091dd89959529ae047071415a890dda507db4c53b6dcab28bBlack Hunt ransomware
sha25613a5c3b72f81554e04b56d960d3a503a4b08ec77abb43756932a68b98dac1479Black Hunt ransomware

Registry Modified by Black Hunt Ransomware






























































Registry ModificationDescription
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run {2C5F9FCC-F266-43F6-BFD7-838DAE269E11} REG_SZ C:\ProgramData#BlackHunt_ReadMe.htaAdds a startup entry to run a file at system startup
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender DisableAntiSpyware REG_DWORD 1Disables Windows Defender anti-spyware protection
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection DisableRealtimeMonitoring REG_DWORD 1Disables Windows Defender real-time monitoring
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet SubmitSamplesConsent REG_DWORD 2Sets the consent level for submitting samples to Microsoft
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats Threats_ThreatSeverityDefaultAction REG_DWORD 1Sets default actions for threats detected by Windows Defender
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction Low, Medium, High, Severe REG_DWORD 6Sets default actions for threats of different severities
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration Notification_Suppress REG_DWORD 1Suppresses Windows Defender notifications
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoClose, StartMenuLogOff REG_DWORD 1Disables the ability to close the Start Menu and log off
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableChangePassword, DisableLockWorkstation, NoLogoff, DisableTaskMgr REG_DWORD 1Disables various system functionalities such as changing password, locking workstation, logging off, and task manager
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore DisableConfig, DisableSR REG_DWORD 1Disables System Restore configuration and functionality
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE DisableSetup REG_DWORD 1Disables Windows Recovery Environment setup
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client DisableBackupLauncher, DisableRestoreUI, DisableSystemBackupUI, DisableBackupUI REG_DWORD 1Disables various backup client functionalities
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoRun REG_DWORD 1Disables the ability to run programs

References

https://twitter.com/RakeshKrish12/status/1597839380558716928

https://twitter.com/malwrhunterteam/status/1744499152011104549

https://blog.sonicwall.com/en-us/2021/09/lockbit-2-0-the-ransomware-behind-the-accenture-breach/

https://blog.sonicwall.com/en-us/2023/02/vohuk-ransomware-uses-cipher-exe-making-files-recovery-impossible/


Rapid7 Labs GitHub

https://github.com/rapid7/Rapid7-Labs/blob/main/IOCs/BlackHunt.txt



Source: Rapid7
Source Link: https://blog.rapid7.com/2024/02/05/exploring-the-not-so-secret-code-of-blackhunt-ransomware-2/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.