"Prolific Ransomware Affiliate Groups Deploy BlackCat"

According to new Microsoft research, two of the most prolific affiliate threat organizations, DEV-0237 and DEV-0504, which have been linked to various ransomware families, including Hive, Conti, and Ryuk, are now using the BlackCat Ransomware-as-a-Service (RaaS). Researchers are finding it difficult to track BlackCat deployments because BlackCat relies on the RaaS affiliate model. No two BlackCat deployments will look the same, with various affiliates employing different strategies. For example, Microsoft recently observed two separate BlackCat deployments involving two initial access vectors - one using compromised credentials and the other exploiting a vulnerable Microsoft Exchange server. They also observed the use of different persistence, credential exfiltration, and lateral movement methods. This can make it difficult to identify regularly used tactics, techniques, and procedures (TTPs) for the ransomware. Nonetheless, the end result of BlackCat is the same: data is encrypted, exfiltrated, and used for double extortion. Researchers urge organizations to address common vulnerabilities such as poor credential hygiene or misconfigurations to defend against the BlackCat ransomware family. This article continues to discuss the difficulty in tracking BlackCat deployments, the most prolific affiliate threat groups now deploying BlackCat, and recently observed BlackCat incidents.

Decipher reports "Prolific Ransomware Affiliate Groups Deploy BlackCat"