The BlackCat Ransomware’s Latest Tool: Munchkin

The BlackCat/ALPHV ransomware operation is now using a new tool called ‘Munchkin,’ which leverages virtual machines for stealthy deployment of encryptors on network devices.

Munchkin allows BlackCat to operate on remote systems and encrypt Server Message Block (SMB) or Common Internet File (CIFS) network shares.

Blackcat Ransomware’s Munchkin Tool:

Munchkin is a customized Alpine OS Linux distribution delivered as an ISO file. After compromising a device, threat actors install VirtualBox and create a new virtual machine using the Munchkin ISO. The Munchkin virtual machine equips threat actors with various scripts and utilities for lateral network movement, BlackCat ‘Sphynx’ encryptor payload creation, and program execution on network computers.

Upon boot, Munchkin changes the root password, and the ‘controller’ executes Rust-based malware. The ‘controller’ relies on a bundled configuration file for victim credentials, authentication secrets, and more.

Custom BlackCat Encryptors:

This configuration generates custom BlackCat encryptor executables in the /payloads/ directory, used to encrypt files or network shares. To prevent access token leakage, BlackCat advises affiliates to delete Munchkin virtual machines and ISOs after use.

Efficiency and Stealth of Blackcat Ransomware:

Munchkin aids BlackCat affiliates in bypassing security solutions by using virtual machines for isolation. The use of Alpine OS minimizes the digital footprint, and automated operations reduce manual interventions. Munchkin’s modularity, featuring Python scripts and unique configurations, enables customization for specific targets or campaigns.

BlackCat Ransomware’s Evolution:

BlackCat emerged in 2021 as a Rust-based ransomware operation and has continued to evolve. Notable victims in 2023 include Florida Circuit Court, MGM Resorts, Motel One, and others.