On the 30th of May 2021, a ransom demand was offered to the Indian lending banking software, Nucleus Ltd, encrypting part of their database with a link to a Ransom negotiation page ‘blackcocaine.top’.
Nucleus Ltd remains steadfast that no financial or personal data were affected and that data leakage is out of the picture.
Noteworthy banks/companies are partnered with the said banking software. Some of the confirmed names include Bajaj Finserv, Bank of Muscat, Centrum, DCB Bank, HDFC Bank, ICICI Bank, IndusInd Bank, L&T Finance and SMC Finance.
As of the moment, http://blackcocaine.top/ is down. Although we have been monitoring the site, there is no leaked data yet from the Ransomware Gang. But if Nucleus Ltd will not take action, the data might get leaked soon on an onion site. According to external sources, Nucleus is the first victim of the ransomware gang. Based on the WHOIS details, the domain was recently registered on the 28th of May 2021. It is also scheduled to expire the following year. We are currently monitoring the dark web for any alternative ransom site and possible data leak.
The malware works in a way that, like regular ransomware, it encrypts file for ransom purposes and at the same time exfiltrates the data. Once the ransom mechanism is functional, it will send a personal negotiation site to the victim to demand payment to decrypt the files. According to external cyber expert resources, the payload file is a UPX-packed 64-bit Windows .exe file, made via the Go programming language and organised using the MinGW tool.
The ransomware file unleashed by BlackCocaine has numerous anti-VM and anti-debugging techniques to defend itself from being analysed and detected by AI-powered analysis apps. Independent malware analysts needed to manually unpack the ransomware payload to discover and find out the original entry point. Also, the ransomware file uses the AES and RSA encryption methods. It is also noted by the malware analyst that the ransomware drops ransom notes with the following filename on a victim’s device
“HOW_TO_RECOVER_FILES.BlackCocaine.txt”
Advanced Threat Actors will use innovative strategies to make a good entry point in the Blackhat scene; this BlackCocaine ransomware is one good example of a new strain of ransomware that is currently undetectable by automated analysis tools. BlackCocaine taking action while the method is undetected will ensure that they will have more victims before it becomes an auto detectable strain.
iZOOlogic advises companies and individuals to keep a backup of their data and system and store critical files in secured storage disconnected from their machines to mitigate ransom and exfiltration risks. The proper backup plan will prevent potential victims from paying the ransom amount.