Black Cat Breaches Over 60 Organizantions Worldwide

The U.S. Federal Bureau of Investigation (FBI) has announced a new attacks as BlackCat ransomware-as-a-service (RaaS), which has been targeted at least 60 organizations worldwide between as of March 2022 since its emergence last November.

What is BlackCat Ransomeware?

A BlackCat (also known as ALPHV), is a professional cybercrime group that writes ransomware in Rust programming language and operates under Ransomware as a service(Raas)model.This group has been recruiting affiliates from other ransomware groups and targeting organizations worldwide.

What is Rust?

Rust is a programming language,designed for performance and safety, especially safe concurrency.Black cat is first malware ever written in Rust . It is a cross platform language, allowing developers to target several operating systems with the same code. Rust offers, the attackers also take advantage of a lower detection ratio from static analysis tools, which is not used by many programming languages.

What makes Blackcat different from other RAAS:

Other Ransomware groups extort money from targeted organizations or individual persons by stealing sensitive data by threatening to release it publicly and encrypting systems. But Blackcat threatened publishing sensitive data stolen from the compromised networks and/or deploying Distributed Denial-of-Service (DDoS) attacks - when victims refuse to meet the ransom demands.

This technique is known as “Triple Extortion.”

BlackCat has been offering payouts up to 80 to 90 % to their affiliates of the ransom payment, and once approved, are given access to a control panel that manages access.

How does it work?

BlackCat ransomware leverages already compromised client authorization to gain access to the victim system. The deployment of a malware program enhances PowerShell documents, in line with Cobalt Strike, and disables security features within the victim's network. Once the malware establishes access, it compromises Active Directory(AD) user and admin accounts. A malware program uses the Windows Task Scheduler to configure Group Policy Objectives to execute ransomware.

But before it could execute ransomware, BlackCat steals a victim's data, including information from cloud providers and leverages Windows scripting to deploy ransomware and to compromise additional hosts.

This BlackCat Ransomware encrypts the files and rename encrypted files by appending them with specific extensions.[For example “GET IT BACK-[extension]- FILES.txt” to GET IT BACK-bzeakde-FILES.txt"] www.

The batch and PowerShell scripts were observed:

• start.bat - It launches the code to execute the arguments.
• est.bat - It copies ransomware frome one location to many.
• drag-and-drop-target.bat - It launches the ransomware executable for the MySQL Server
• run.bat - It executes a callout command to an external server using SSH - file names may change depending on the company and systems affected
• Runs1.ps1 – PowerShell script to disable Antivirus.

Set Basics Rights:

• Reviewing domain , servers, workstations for new or unauthorized user accounts.
• Regularly back up data,protect backup copies offline by using password. Ensure copies of critical files are not accessible for modification or deletion from system.
• Install updates and patching OS, software, and firmware as soon as updates/patches are released.
• Use Multi Factor Authentication(MFA).

CD Bytes!

One of the biggest challenges today in cybersecurity is to quickly detect the Threats in the network and control the damage. Cloud Destinations enables you with nextgen vulnerability management which quickly detects and manages your Security controls effectively. Please reach out to info@clouddestinations.com for any business related queries.

Back Blogs