BlackCat Ransomware Exploits Fake WinSCP Site in Malvertizing Campaign: Details and Impact on Constellation Software

Ransomeware BlackCat or also known as ALPHV runs a malvertizing campaign to attract people to a fake page

Ransomeware BlackCat or also known as ALPHV runs a malvertizing campaign to attract people to a fake page, the fake page impersonates the official website of the WinSCP file transfer application for Windows. Windows Secure Copy or WinSCP is a popular free and open-source client and file manager, with the ability to transfer files via SCP, S3, SFTP, FTP with SSH support. 400,000 weekly downloads only on SourceForge.

BlackCat uses the program to infect the computers of web administrators, IT professionals, and system administrators for early access to corporate networks. Analysts at Trend Micro discovered a previously unknown ALPHV ransomware infection, an ad campaign promoting the fake page on Google and Bing search pages. Victims search for "WinSCP Download" on Bing or Google and get malicious results promoting safe WinSCP download sites and performing automatic file transfers. These websites contain nothing malicious but redirect visitors to an official WinSCP clone site that displays a download button.

These copycat sites usually use a domain name similar to the real domain, so the victim clicks the download button and receives an ISO file containing "setup-exe" and "msi.dll". According to Trend Micro, after executing setup-exe, msi.dll appears which will extract the Python folder from the RCDATA DLL section as a real installer for WinSCP to be installed on the machine.

As experienced by Canadian diversified software company Constellation Software, some of its systems were hacked by threat actors who also stole personal information and business data. The company also added that it has overcome the attack and restored all IT infrastructure systems affected in the incident. The attack on the company was claimed by the ALPHV ransomware group, however Constellation has not provided any information on who was behind the attack and how the perpetrators gained access to its network. The ALPHV ransomware group also known as BlackCat added a new entry to its data leak site, they hacked into the company's network and stole over 1TB of files. BlackCat threatened to reveal the stolen data if the company ignored the ransom demand and refused to negotiate.

The Federal Bureau of Investigation (FBI) said in April that ALPHV has an extensive network and experience in ransomware operations, as they have successfully hacked more than 60 entities around the world from November 2021 to March 2022.

This article describes the tools used to steal data and the threatening and extortion of Constellation by BlackCat.