BlackCat's 'Closer' Pleads Guilty: The Economics of Ransomware Negotiation
Just saw the update about Angelo Martino pleading guilty. It’s a stark reminder that the e-crime economy is maturing. Martino wasn't writing the Rust-based encryptor; he was the "sales" guy, specifically hired to squeeze victims for higher payouts.
While we focus on blocking the initial access—phishing or exploit kits—the negotiation phase is where the financial damage is controlled (or exacerbated). The fact that BlackCat (ALPHV) outsourced this to a specialist in Florida shows how segmented these operations are becoming. They treat it like a legitimate business, with roles compartmentalized to protect the core developers.
From a detection standpoint, the negotiation phase usually starts after the ransom note is dropped. We often see specific artifacts associated with BlackCat's extortion attempts. Here is a KQL query I use to hunt for the specific ransom note naming conventions often used by these affiliates:
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName in~ ("RECOVER-FILES.txt", "recent_files.txt", "readme.txt")
| where FolderPath contains "Desktop" or FolderPath contains "Documents"
| extend FileHash = SHA256
| project DeviceName, FolderPath, FileHash, InitiatingProcessAccountName
If you catch the note drop, you're already in the incident response phase, but identifying the specific variant (like the 2023 BlackCat builds) helps determine if they're likely to exfil data or just encrypt. Are you guys seeing an increase in "professional" negotiation tactics in your IR engagements, or is it still the usual broken English and extortion threats?
We noticed a shift late last year. The negotiators aren't just threatening encryption anymore; they come armed with proofs of exfiltration—specific file paths and sample data—before you even respond to the initial email. It changes the calculus for the victim when they know the data is actually in the attacker's hands. It makes the 'sales job' significantly harder for us to counter.
Great snippet on the file detection. I'd add checking for unusual processes spawning cmd.exe or powershell.exe right after those text files are created. In one case we investigated, the BlackCat affiliate ran a discovery script immediately after dropping the note to map out the backup servers before the negotiator even made contact. You can catch that with:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Message -match 'recovery.txt' -and $_.Message -match 'CommandLine.*whoami'}
That outsourcing trend makes attribution harder but behavior more predictable. To stay ahead of the "sales" team, automate the hunting for their calling cards. We run a scheduled query to detect the creation of their specific ransom note extensions immediately to cut off their leverage.
DeviceFileEvents
| where FileName endswith ".locked"
| where InitiatingProcessFolderPath contains @"Windows\Temp"
| project Timestamp, DeviceName, FileName, InitiatingProcessAccountName
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access