Recently, its security researchers Cyble investigated an attack on 30 May 2021The Nucleus Software, an IT company based in India active in the field of banking and financial services. The company reported the security breach to the Bombay Stock Exchange (BSE) and the National Stock Exchange of India (NSEI). Nucleus Software stated that it does not store financial customer data.
Cyble researchers have discovered that the company fell victim to the BlackCocaine ransomware gang.
Like other ransomware gangs, this ransomware gang behind this threat manages its own site (hxxp: // blackcocaine [.] Top) recently registered for the start of the gang's activities.
Cyble mentions in a related blog post the following: "Based on the analysis, the Cyble research team found that Nucleus Software is the first victim of the BlackCocaine ransomware gang. WHOIS domain information reveals that the BlackCocaine ransomware domain was registered on May 28, 2021 ".
In addition, the researchers pointed out that a file with the name a.BlackCocaine recently submitted to different public sandboxes.
Ransomware enumerates system files while encrypting victim files, and then appends the extension ".BlackCocaine" in the names of the encrypted files. The researchers added that ransomware uses the AES and RSA encryption methods.
Once a file is encrypted, ransomware "drops" ransom notes with the file name “HOW_TO_RECOVER_FILES.BlackCocaine.txt” to the victim's device.
BlackCocaine ransomware is written in the programming language Go and has been written with the tool Mingw. The payload file is an executable UPX-packed 64-bit Windows file. The ransomware payload Written on May 29, 2021, while applying many anti-VM and anti-debugging techniques.
It should be noted, however, that experts have not yet identified the original carrier of BlackCocaine.
The researchers' report states: "BlackCocaine is the latest addition to the ransomware group and seems to be one of the most sophisticated and active executives malware. This ransomware family follows the same server-side encryption model to lock user documents and request ransom. "
Source of information: securityaffairs.co