BlackCat Ransomware Leveraging Remote Monitoring Tools to Encrypt Azure Storage

BlackCat Ransomware variant Sphynx has been newly identified with additional features used for encrypting Azure Storage accounts. This Sphynx variant of BlackCat was first discovered in March and was upgraded in May, which added the Exmatter exfiltration tool. 

Another version of Sphynx was released in August, which included new command-line arguments that can override the credentials inside the config files obtained from compromised systems.

Microsoft published a post in August that mentioned the inclusion of Impacket (for credential dumping and remote service execution) and Remcom tools. In addition, it also consisted of some compromised credentials that are used for lateral movement and further ransomware deployment.

“This BlackCat version also has the Remcom hacktool embedded in the executable for remote code execution. The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment.” reads the thread by Microsoft on Twitter.

Threat Actors Access Azure portal

Threat actors could steal Azure keys by accessing the customer’s Azure portal. These keys were then base64 encoded and embedded with the ransomware binary with command line executions.

An -o argument was included in the command line arguments, which targets an Azure storage account name and access key; this binary was executed multiple times with 39 unique Azure Storage accounts, resulting in encrypting them with ransomware.

FREE Webinar

Live DDoS Attack Simulation

Attend the Live DDoS Website & API Attack Simulation webinar to gain knowledge on various types of attacks and how to prevent them.

During this operation, threat actors used tools like AnyDesk, SplashTop, and Atera combined with the Chrome browser to access the LastPass vault browser extension. Moreover, threat actors also obtained OTP for accessing the Sophos Central account for managing other Sophos products.

On investigating further, it was found that threat actors proceeded to change the security policies and tamper protection before encrypting the systems and Azure Storage accounts with IzBEIHCMxAuKmis6.exe with the extension .zk09cvt. 

Ransomware note (Source: @SophosXOps/

Notable Change

Denoting the changes mentioned by IBM, this Sphynx variant of BlackCat does not include -access-token parameter but instead it now uses keys like ‘-8UwUubTNYzygbQPJF -x_ -NI3_zn6Jr -U8Z -hedu5PO -CBJC7jzy -HFVmgW -DK3rdo’ and includes a set of more complex arguments.

Sophos provides detailed information about the operation, source code, and indicators of compromise of this variant of BlackCat.

It is highly recommended that organizations implement and adhere to necessary precautions and measures to effectively prevent and combat the occurrence of ransomware attacks. Such proactive and vigilant steps can significantly reduce the risk of devastating consequences that may result from these malicious attacks.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.


Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT group and their ongoing RustBucket campaign.  As…

47 mins ago

Serpent Stealer Acquires Browser Passwords and Erases Intrusion Logs

Beneath the surface of the cyber realm, a silent menace emerges—crafted with the precision of the .NET framework, the Serpent…

1 hour ago

Doppelgänger: Hackers Employ AI to Launch Highly sophistication Attacks

It has been observed that threat actors are using AI technology to conduct illicit operations on social media platforms. These…

3 hours ago

Kali Linux 2023.4 Released – What’s New!

Kali Linux 2023.4, the latest version of Offensive Security's renowned operating system, has been released, and it includes the advanced…

8 hours ago

Trickbot Malware Developer Pleads Guilty & Faces 35 Years in Prison

A 40-year-old Russian national, Vladimir Dunaev, pleaded guilty for developing and deploying Trickbot malware. Trickbot, a suite of malware tools,…

10 hours ago

ICANN Launches RDRS to Assist Law Enforcement Agencies to Discover Private Info

ICANN is a non-profit organization that is responsible for coordinating the global internet's- DNS IP address allocation This organization manages…

14 hours ago