"BlackCat Ransomware Uses New 'Munchkin' Linux VM in Stealthy Attacks"

The BlackCat/ALPHV ransomware operation is now applying a new tool named Munchkin, which uses Virtual Machines (VMs) to stealthily launch encryptors on network devices. Munchkin allows BlackCat to execute on remote systems or encrypt Server Message Block (SMB) or Common Internet File (CIFS) network shares. Adding Munchkin to BlackCat's extensive and sophisticated arsenal makes the Ransomware-as-a-Service (RaaS) more appealing to cybercriminals seeking to work with the ransomware. According to Palo Alto Networks Unit 42, BlackCat's new Munchkin tool is a customized Alpine OS Linux distribution that arrives as an ISO file. After compromising a device, the threat actors install VirtualBox and use the Munchkin ISO to create a new VM. This Munchkin VM contains a collection of scripts and utilities that enable threat actors to dump passwords, move laterally on the network, build a BlackCat Sphynx encryptor payload, and run programs on network computers. This article continues to discuss the BlackCat/ALPHV ransomware operation using the new Munchkin tool.  

Bleeping Computer reports "BlackCat Ransomware Uses New 'Munchkin' Linux VM in Stealthy Attacks"

Submitted by grigby1
 

Submitted by Gregory Rigby on