The BlackCat ransomware gang, known for being the first to use ransomware written in the Rust programming language, has compromised at least 60 organizations worldwide since March 2022, the Federal Bureau of Investigation (FBI) says in a new alert.
BlackCat, also known as ALPHV, is a relatively new ransomware-as-a-service gang that security researchers believe is related to the more established BlackMatter (aka Darkside) ransomware gang that hit the fuel dispenser American Colonial Pipeline last May.
BlackCat emerged in November 2021 and was created by compromise experts or “access brokers” who sold access to several RaaS groups, including BlackMatter, according to Cisco’s Talos researchers.
TO SEE: These are the issues that cause headaches for bug bounty hunters
As ZDNet reported in February, BlackCat has hit several high-profile companies since December, including Swiss airport management service Swissport and two German oil suppliers.
While much of the group’s efforts have focused on striking several European critical infrastructure companies, Cisco notes in a March report that more than 30% of BlackCat compromises have targeted US companies.
“As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using Rust, considered a more secure programming language that offers improved performance and concurrent processing reliability,” the FBI said in its alert detailing the BlackCAT/ALPHV indicators of compromise.
“Threat actors affiliated with BlackCat typically demand multimillion-dollar ransom payments in Bitcoin and Monero, but have accepted ransom payments lower than the original ransom demand. Many developers and money launderers for BlackCat/ALPHV are tied to Darkside/BlackMatter, indicating they have extensive networks and experience in ransomware operations,” he continues.
The BlackCat gang uses previously compromised user credentials to gain initial access to the victim’s system. The group then compromises Microsoft Active Directory user and administrator accounts and uses Windows Task Scheduler to configure GPOs to deploy the ransomware.
BlackCat also uses legitimate Windows tools – such as Microsoft Sysinternals, as well as PowerShell scripts – to disable security features in anti-malware tools, launch ransomware executables, including on MySQL databases, and copy ransomware to other locations on a network.
The group practices double extortion by stealing data before encrypting it in order to threaten victims with a leak in case they do not pay a ransom demand.
Cisco said the BlackCat gang or its affiliates are unlikely to use an Exchange flaw. However, Trend Micro researchers claimed last week that they identified BlackCat exploiting Exchange bug CVE-2021-31207 during an investigation. This was one of the ProxyShell Exchange bugs discovered in mid-2021.
BlackCat has versions that work on Windows and Linux, as well as VMware’s ESXi environment, notes Trend Micro.
“In this incident, we have identified a CVE-2021-31207 exploit. This vulnerability abuses the New-MailboxExportRequest PowerShell command to export the user’s mailbox to an arbitrary file location, which could be used to write a web shell on the Exchange server,” the firm said.
TO SEE: Google: We’re spotting more zero-day bugs than ever. But hackers still have it too easy
The Cybersecurity and Infrastructure Security Agency urges organizations to review the FBI alert.
The FBI is seeking information from the public about the BlackCat compromises. He wants “any information that can be shared to include IP logs showing foreign IP address callbacks, Bitcoin or Monero addresses and transaction IDs, communications with threat actors, decryption file and/or a benign sample of an encrypted file.”
Since Windows Task Scheduler is commonly used by attackers to hide malicious activity in seemingly normal administrative tasks, the FBI recommends that organizations check Task Scheduler for unrecognized scheduled tasks, as well as check domain controllers, servers, workstations and active directories to detect new or unrecognized tasks. user accounts.