Detecting BlackCat ransomware with Wazuh

| by | Wazuh 4.3
Post icon

BlackCat, also known as ALPHV ransomware, is a sophisticated ransomware that analysts first observed in November 2021. It operates as a Ransomware-as-a-Service (RaaS), where affiliates pay for software that enables them to launch ransomware attacks.

The ransomware operators allow affiliates to customize payloads, which makes it possible for them to target different corporate environments and operating systems (Windows and Linux variants). BlackCat is written in Rust programming language, and this presents a challenge for traditional security solutions to analyze and parse binaries generated by it. 

This blog shows how to detect and respond to BlackCat ransomware on Windows endpoints using Wazuh.

BlackCat ransomware behavior

BlackCat is a command-line driven, human-operated, flexible malware and has the ability to employ a range of encryption techniques. Below are some of the notable behaviors of the ransomware:

  • Blackcat ransomware uses an access-token to execute. The access token is a 32-byte token randomly chosen. Below is an example of a command that executes BlackCat.
BlackCat.exe --access-token 12345
  • BlackCat bypasses user access control (UAC) when a user account without administrative privileges executes it. It runs a secondary process under dllhost.exe with the necessary permissions to encrypt a large number of files on a compromised endpoint. 
  • BlackCat discovers other endpoints on the same network as the victim host by sending a  NetBIOS Name Service (NBNC) broadcast message. The malware then uses PsExec to try to infect responding servers.
  • BlackCat increases the number of outstanding SMB client requests allowed. It sets the maximum client connection limit to 65535 by modifying the registry to change MaxMpxCt settings. It uses the command below to set the MaxMpxCt to 65535:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
  • BlackCat terminates processes and stops services that are specified in its embedded configuration. It also enumerates and terminates any dependent services of the target service. For example, it uses the command cmd.exe /c "iisreset.exe /stop" to stop the internet information service on the server.
  • BlackCat modifies the boot loader to prevent recovery and automatic repair on the Windows endpoint. It disables the boot recovery mode using the following command:
C:\Windows\system32\cmd.exe” /c “bcdedit /set {default} recoveryenabled No
  • BlackCat uses wevtutil.exe to clear Windows event logs to prevent analysis. It executes the following command to clear the event logs:
“C:\Windows\system32\cmd.exe” /c “cmd.exe /c  for /F \”tokens=*\” %1 in (‘ wevtutil.exe el ‘) DO wevtutil.exe cl \”%1\””
  • It disables and deletes Volume Shadow Copy Service and Hyper-V Volume Shadow Copy Requestor Service. BlackCat uses the wmic.exe command to delete the shadow copies on all volumes. It uses the following command:
“C:\Windows\system32\cmd.exe” /c “wmic.exe Shadowcopy Delete”


To demonstrate the detection of BlackCat ransomware with Wazuh, we use the following infrastructure:

  • A pre-built ready-to-use Wazuh OVA 4.3.10 Follow this guide to download the virtual machine
  • A Windows 10 endpoint with the Wazuh agent installed. This Wazuh guide is used to install the Wazuh agent.

Detection techniques

In this blog post, we use the following techniques to detect the presence of BlackCat ransomware:

  • Using custom detection rules: This technique alerts about malicious activities in an infected endpoint.
  • Using constant database (CDB) list and active response: This technique alerts about and removes malicious files in an endpoint.

Using custom detection rules

We show how you can use Sysmon and custom detection rules to detect the malicious activities of BlackCat ransomware on an infected Windows endpoint. 

Install Sysmon on the monitored endpoint

1. Download Sysmon from the Microsoft Sysinternals page.

2. Download the configuration file sysmonconfig.xml.

3. Run the following command with administrative privilege to install Sysmon with the downloaded configuration file via command prompt:

.\Sysmon64.exe -accepteula -i sysmonconfig.xml

Configure the Wazuh agent to collect Sysmon events

1. Configure the agent to collect Sysmon events by adding the following settings to the Wazuh agent configuration file  C:\Program Files (x86)\ossec-agent\ossec.conf:


2. Run the following command with administrative privilege to restart the Wazuh agent via command prompt:


Configure detection rules on Wazuh server

1. Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:

<group name="blackcat,">
<!-- Detects when BlackCat deletes shadow copies -->
   <rule id="100104" level="12">
     <field name="win.eventdata.CommandLine" type="pcre2">(?i)wmic.exe\s\sShadowcopy\sDelete</field>
     <description>Shadow copies have been deleted. Possible ransomware detected.</description>

<!-- Detects when BlackCat prevents autorecovery-->
  <rule id="100105" level="12">
     <field name="win.eventdata.CommandLine" type="pcre2">(?i)bcdedit\s\s\/set {default} recoveryenabled No</field>
     <description>System recovery disabled. Possible ransomware detected.</description>

<!-- Detects when BlackCat clears event logs-->
  <rule id="100106" level="12">
    <field name="win.eventdata.CommandLine" type="pcre2">(?i)\C:.*\('wevtutil.exe el'\) DO wevtutil.exe cl.*</field>
    <description>Event logs cleared. BlackCat ransomware detected.</description>

<!-- Detects when BlackCat creates ransom notes -->
  <rule id="100107" level="12" timeframe="100" frequency="2">
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)\C:.*.RECOVER-.*-FILES.txt</field>
    <description>The file $(win.eventdata.targetFilename) has been created in multiple directories. Possible BlackCat ransomware detected.</description>

<!-- Detects when BlackCat modifies the registry to change MaxMpxCt settings -->
  <rule id="100108" level="12">
    <field name="win.eventdata.eventType" type="pcre2" >^SetValue$</field>
    <field name="win.eventdata.targetObject" type="pcre2" >HKLM\\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\MaxMpxCt</field>
        <description>Changes were made to MaxMpxCt settings on $( BlackCat ransomware detected.</description>   

2. Restart the Wazuh manager to apply changes.

# systemctl restart wazuh-manager

After running the ransomware sample on the Windows endpoint, the alerts are generated on the Wazuh dashboard.


Using CDB list and active response to detect and remove BlackCat ransomware

You can configure Wazuh to detect malicious files by checking the presence of their signatures in a CDB list of known malware signatures. The CDB list is a text file that you can use to save a list of users, file hashes, IP addresses, or domain names. You add entries to a CDB list in key:value pairs. Learn more about CDB lists in our documentation.

Detecting malware using file hashes in a CDB list

Using the known file hashes for BlackCat ransomware, you can detect the ransomware by adding the file hashes to a CDB list. Wazuh has a file integrity monitoring (FIM) module that detects and alerts when files are created, modified, or deleted in a monitored directory. The alerts generated by the FIM module contain the file MD5, SHA1, and SHA256 checksums in their metadata. To detect the malware using the CDB list,  the SHA256 checksums generated by the FIM module are cross-checked against the hash entries in the CDB list. 

Follow the steps below to create a CDB list and configure a malware detection rule using CDB list.

Wazuh server

1. Create a CDB list malware-hashes that will contain known BlackCat ransomware hashes and save it to the /var/ossec/etc/lists directory on the Wazuh server:

# touch /var/ossec/etc/lists/malware-hashes

2. Add the known BlackCat ransomware hashes to the malware-hashes file as key:value pairs:


The keys are the SHA256 hashes of the ransomware.

3. Edit the Wazuh server /var/ossec/etc/ossec.conf configuration file and add the etc/lists/malware-hashes list to the <ruleset> section as shown below:


4. Create a custom rule in the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server. The rule generates alerts on the Wazuh dashboard when any of the SHA256 hash in the CDB list is detected:

<group name="blackcat,">
  <rule id="110002" level="13">
    <if_sid>554, 550</if_sid>
    <list field="sha256" lookup="match_key">etc/lists/malware-hashes</list>
    <description>File with known BlackCat malware hash detected: $(file)</description>


Wazuh triggers rule 554 when a user or process adds a new file to a monitored directory and rule 550 when a user or process modifies a file.

5. Restart the Wazuh manager to apply changes.

# systemctl restart wazuh-manager
Windows endpoint

1. Add the following setting within the <syscheck> block of the Wazuh agent /var/ossec/etc/ossec.conf configuration file. This configures the Wazuh FIM module to monitor the Downloads directory for all users. 

<directories check_all="yes" realtime="yes">C:\Users\*\Downloads</directories>


The check_all option ensures Wazuh checks all file attributes including the file size, permissions, owner, last modification date, inode, and hash.

2. Restart the Wazuh agent to apply the changes:


To test the detection rule, download a sample of the BlackCat ransomware to the monitored directory. The alert below shows that the downloaded file hash is in the CDB list.

blackcat ransomware windows

We have shown how to detect BlackCat ransomware using a CDB list  by matching the checksums (SHA256) of files with a CDB list of known malicious hashes. You can take this further by configuring the active response module to delete any file with the hashes in our CDB list.

Configuring active response to remove BlackCat ransomware files

The Wazuh active response module performs various countermeasures to address detected threats. Active responses execute a script on an endpoint in response to certain triggers. For example, if a specific rule is triggered and it generates an alert, an active response script will run on the endpoint that generated that alert. In this case, we show how you can configure a Python script on the Windows endpoint to remove the BlackCat ransomware files as soon as the Wazuh detects them. To achieve this, Python and Pyinstaller are required on the Windows endpoint to convert the Python script to an executable file.

Follow the steps below to configure the active response script to remove all BlackCat ransomware files immediately after the Wazuh detects them on a monitored endpoint.

Windows endpoint

1. Download Python.

2. Run the Python installer and select the following checkboxes during installation:

  • Use admin privileges when installing py.exe
  • Add Python.exe to PATH.

3. Run the following command with administrative privilege to install Pyinstaller via command prompt:

pip install -U pyinstaller

4. Create a script with the contents below:

# Copyright (C) 2015-2022, Wazuh Inc.
# All rights reserved.
import os
import sys
import json
import datetime
if == 'nt':
    LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log"
    LOG_FILE = "/var/ossec/logs/active-responses.log"
class message:
    def __init__(self):
        self.alert = ""
        self.command = 0
def write_debug_file(ar_name, msg):
    with open(LOG_FILE, mode="a") as log_file:
        log_file.write(str('%Y/%m/%d %H:%M:%S')) + " " + ar_name + ": " + msg +"\n")
def setup_and_check_message(argv):
    # get alert from stdin
    input_str = ""
    for line in sys.stdin:
        input_str = line
        data = json.loads(input_str)
    except ValueError:
        write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
        message.command = OS_INVALID
        return message
    message.alert = data

    command = data.get("command")
    if command == "add":
        message.command = ADD_COMMAND
    elif command == "delete":
        message.command = DELETE_COMMAND
        message.command = OS_INVALID
        write_debug_file(argv[0], 'Not valid command: ' + command)
    return message
def send_keys_and_check_message(argv, keys):
    # build and send message with keys
    keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-response"},"command":"check_keys","parameters":{"keys":keys}})
    write_debug_file(argv[0], keys_msg)
    # read the response of previous message
    input_str = ""
    while True:
        line = sys.stdin.readline()
        if line:
            input_str = line
    # write_debug_file(argv[0], input_str)
        data = json.loads(input_str)
    except ValueError:
        write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
        return message
    action = data.get("command")
    if "continue" == action:
        ret = CONTINUE_COMMAND
    elif "abort" == action:
        ret = ABORT_COMMAND
        ret = OS_INVALID
        write_debug_file(argv[0], "Invalid value of 'command'")
    return ret
def main(argv):
    write_debug_file(argv[0], "Started")
    # validate json and get command
    msg = setup_and_check_message(argv)
    if msg.command < 0:
    if msg.command == ADD_COMMAND:
        alert = msg.alert["parameters"]["alert"]
        keys = [alert["rule"]["id"]]
        action = send_keys_and_check_message(argv, keys)
        # if necessary, abort execution
        if action != CONTINUE_COMMAND:
            if action == ABORT_COMMAND:
                write_debug_file(argv[0], "Aborted")
                write_debug_file(argv[0], "Invalid command")
            write_debug_file(argv[0], json.dumps(msg.alert) + " Successfully removed threat")
        except OSError as error:
            write_debug_file(argv[0], json.dumps(msg.alert) + "Error removing threat")
        write_debug_file(argv[0], "Invalid command")
    write_debug_file(argv[0], "Ended")
if __name__ == "__main__":


The os.remove() function is the function that handles the removal of the malicious file. The script logs the file removal action’s outcome to C:\ProgramFiles(x86)\ossec-agent\active-response\active-responses.log.

5. Convert the Python script  to an executable file:

pyinstaller -F

6. Copy the built executable from the \dist folder under your current working directory to C:\Program Files (x86)\ossec-agent\active-response\bin

Wazuh server

1. Add the following block in the /var/ossec/etc/ossec.conf so that the Wazuh server initiates an active response once an event triggers rule 110002:




  • The <name> tag specifies the name of the command in the active response section.
  • The <executable> tag specifies the executable file to run. In this case, remove-threat.exe executable you built earlier.
  • The <active response> tag block calls the command block when the rule ID specified triggers an alert. In this case, specify rule ID 110002, which is the rule that detects files with malicious hashes we specified in the CDB list.

2. Create rules to alert when the active response file removal succeeds or fails by adding the following rules to the /var/ossec/etc/rules/local_rules.xml:

<rule id="100109" level="7">
    <match>Successfully removed threat</match>
    <description>$(parameters.program): Successfully removed threat $(parameters.alert.syscheck.path) whose MD5 hash appears in a malware blacklist.</description>

<rule id="100110" level="7">
    <match>Error removing threat</match>
    <description>$(parameters.program): Error removing threat $(parameters.alert.syscheck.path) whose MD5 hash appears in a malware blacklist.</description>


  • Rule ID 100109 generates an alert when the active response action successfully removes the threat.
  • Rule ID 100110 generates an alert when the active response action fails to remove the threat.

3. Restart the Wazuh manager to apply changes.

# systemctl restart wazuh-manager

To test the configuration, we download a BlackCat ransomware sample on the Windows endpoint. You can see in the screenshot below that the active response module deletes the file and generates an alert of this event.

blackcat ransomware


In this blog post, we successfully demonstrated the capability of Wazuh to detect and remove BlackCat ransomware on a Windows endpoint. We leveraged the Wazuh constant database (CDB) list and ruleset to detect the BlackCat ransomware based on its signature and behavior. We also showed how to use CDB lists with the active response module to detect and remove the BlackCat ransomware files on the endpoint.


  1. The many lives of BlackCat ransomware
  2. Ransomware spotlight – BlackCat
  3. BlackCat Analyst Note – PDF
  4. A Deep Dive Into ALPHV/BlackCat Ransomware | SecurityScorecard
  5. Hunting and remediating BlackCat ransomware