The group of hackers behind the BlackCat ransomware recently unveiled an improved variant of their malware that prioritizes speed and stealth in order to bypass defenses and achieve their goals.

The new version, dubbed Sphynx, was announced in February 2023 and contains “a number of updated features that contribute to avoiding detection,” according to the new analysis IBM Security X Force.

The hacker product update was noted for the first time VX-Underground in April 2023. A Trend Micro last month described in detail version of Sphynx for linuxwhich “focuses primarily on the encryption procedure”.

grouping ALPHV/BlackCat , also known as Noberus, developed the first ransomware based on the Rust language. Active since November 2021, it has grown into a significant threat with over 350 targets affected as of May 2023.

The group is also known to use a double extortion scheme by deploying special data stealing tools such as ExMatter to exfiltrate sensitive data before encryption.

ALPHV/BlackCat hackers gain primary access to targeted networks, usually through third party actors called Initial Access Brokers (IABs), who use their own malware to steal legitimate credentials.

The latest version of Sphynx by ALPHV/BlackCat contains junk code and encrypted strings, and reworks the command line arguments passed to the binary. All to avoid detection.

Sphynx also includes a separate downloader for decrypting the ransomware payload, which, when executed, looks for additional networks to compromise. In general, the malware follows a standard pattern: it deletes backup copies of data on target devices, encrypts files, and leaves a ransom note.

Despite law enforcement campaigns targeting ALPHV/BlackCat activity directly, the constant shift in tactics is proof that the group remains an active threat to organizations and has no intention of ceasing to engage in malicious activity.

Literally today we wrote on recent company research results WithSecurewhich discovered a kind of delegation of responsibilities between hacker groups, allowing more destructive attacks to be carried out much faster and more efficiently than one group would deal with the entire attack chain.

As you can see, even such a large and well-known group of extortionists does not hesitate to share profits with other attackers, constantly resorting to the services of primary access brokers.