Cybersecurity Snapshots #41 - BlackCat Ransomware Group
Cybersecurity Snapshots #41 -
BlackCat Ransomware Group
BlackCat ransomware group, also known as ALPHV and Noberus, has been around since at least November 2021. In April 2022, the FBI stated that BlackCat had infected more than 60 victims since starting in 2021, and now in April 2023, their leak website currently lists more than 300 victims. The group has been known to target industrial companies. According to Group-IB, which focuses on cybercrime, the BlackCat ransomware group targets mostly organizations in the United States, making up 47.3% of all organizations breached. One of the recent companies that fell victim to BlackCat ransomware is payments giant NCR.
In a FLASH alert, the FBI went into details about the BlackCat ransomware group stating that the threat actors gain initial access to a targeted system usually by using compromised user credentials. They then leverage that access to compromise user and admin accounts in the Active Directory. This enables the threat to configure malicious Group Policy Objects (GPOs) through the Windows Task Scheduler for the purpose of deploying the ransomware payload. The FBI noted that upon initial deployment, BlackCat disables security features within the victim's network so that it can exfiltrate information prior to execution. It then uses several batch and PowerShell scripts to proceed with its infection. These include "est.bat," which copies the ransomware to other locations, and "drag-and-drop-target.bat," which launches the ransomware executable for the MySQL Server. The FBI stated that BlackCat stands out among other ransomware operations for the following reasons: it's a possible rebranding of DarkSide, it's written in Rust, and it pays affiliates a comparatively larger share than similar schemes.
The FBI stated that Rust enables BlackCat to target a broader range of systems, including both Windows and Linux. It also makes BlackCat into a very complex ransomware with efficient algorithms to aid in the encryption process of breached systems. The FBI noted that Rust aids in making the ransomware harder to analyze in sandbox environments. That's because many security solutions are still catching up in their ability to analyze threats written in Rust and other more modern languages.
Palo Alto Networks Unit 42 stated that as a RaaS operation, BlackCat's business model revolves around letting other attackers use their ransomware, conduct their own campaigns, and keep a percentage of their earnings. Most RaaS operations allow affiliates to keep 70% of their profits. With BlackCat, however, affiliates can expect to keep 80-90%. This makes this particular ransomware very popular among cybercriminals.
The use of BlackCat ransomware is expected to grow in the future, so it is essential for organizations to be aware of BlackCat ransomware and to put good cyber hygiene practices in place to help lessen the chance that one’s organization will be affected by ransomware.