SentinelOne Vs. BlackCat on Linux – Prevention

⚔️ See how SentinelOne prevents BlackCat on Linux. BlackCat (aka AlphaVM, AlphaV) is a newly established RaaS (Ransomware as a Service) with payloads written in Rust. Current data indicates primary delivery of BlackCat is via 3rd party framework/toolset (aka Cobalt Strike) or via exposed (and vulnerable) applications.

BlackCat currently supports both Windows and Linux operating systems. Samples analyzed require an “access token” to be supplied as a parameter upon execution. This is similar to threats like Egregor, and is often used as an anti-analysis tactic. In addition, BlackCat (on Windows) will attempt to Delete VSS (Volume Shadow Copies), as well as enumerate local/accessible drives to affect eligible files. Extensions on encrypted files can vary across samples. Infected users are instructed to connect to the attackers’ payment/support portal (via TOR).