Skip to main content
Published Jan 10, 2022 | Updated Jul 28, 2023

Ransom:Win32/BlackCat.MK!MTB

Detected by Microsoft Defender Antivirus

Aliases: No associated aliases

Summary

Microsoft Defender Antivirus detects and removes this threat.

This ransomware encrypts the data on your disk and can stop you from using your device or accessing your data. It encrypts files, renders them inaccessible, and demands payment for the decryption key.

BlackCat is a family of ransomware written in the Rust programming language which targets Windows and Linux platforms. Attackers gain access to compromised accounts and deploy the ransomware payload. BlackCat, like many other RaaS groups, encrypts files, exfiltrates data, and threatens to release it if the ransom demand is not met.

For more information about ransomware, read this article:

There is no one-size-fits-all response if you have been targeted by ransomware. To recover files, you can restore backups. There is no guarantee that paying the ransom will give you access to your files.

Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.

  • Immediately isolate the affected device, and any additional device with BlackCat ransomware-related alerts. If BlackCat ransomware has been launched, it is likely that the device is under complete attacker control
  • Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts
  • Investigate how the affected endpoint might have been compromised. Check for the presence of other malware
  • Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts
  • Initiate an incident response process, focusing on responding to possible data exfiltration and ransomware deployment, both of which attackers might have already performed. Contact your incident response team. If you don't have one, contact Microsoft support for investigation and remediation services

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

Follow us