Protect Your Organization from BlackCat Ransomware Attacks
Originally published by Titaniam.
Where there is value for organizations online, there will be a cybercriminal ready with a ransomware attack to exploit it.
Since they first emerged in December of 2021, BlackCat Ransomware has become another example of a ring of cybercriminals who practice the model of Ransomware-as-a-Service (RaaS) to wreak havoc on organizations. This is an article about who they are, what they do, how they perform their ransomware attacks and what you can do to protect your organization from this form of ransomware.
What is BlackCat Ransomware?
The ALPHV group, or BlackCat, is a group of ransomware creators. Their “business model” is based on the deal that they give other attackers access to their infrastructure and malicious malware and, in turn, they receive a portion of the successfully traded ransom. Black cat ransomware gang members are likely in charge of the negotiations with the victims of their attacks. The majority of RaaS providers let their partners keep about 70% of their earnings. The commissioners, meanwhile, can expect to receive 80–90% profit with BlackCat.
This means the only thing lacking from their “one-stop shop” business model is access to the exact corporate environment they intend to attack. However, their malware has already been used in successful ransomware attacks around the globe, which means finding access for them is not a deterrent. According to the FBI FLASH notice circa April 2022, the operation had infected more than 60 persons in six months.
How does BlackCat Ransomware work?
Along with its profit incentive, BlackCat has a loaded lineup of malicious tools, with features that make it difficult for victims to overcome a ransomware attack. For example, it's written in Rust, its ransomware attacks use different tools and strategies depending on the attack. Let’s explore the way it works and how each of these adds to its attractiveness for those looking to host a ransomware attack.
For one thing, BlackCat is the first ransomware written in Rust. The use of a new language for its payload means the ransomware can avoid detection. This is particularly evasive from traditional security solutions that may not be as updated in their capacity to analyze and interpret binaries generated in the new forms of these languages. This also yields BlackCat the ability to target a variety of hardware and operating systems with their cross-platform tool of the same name. Microsoft has noted successful assaults on Linux devices, Windows and VMware instances. The more devices and operating systems they can attack, the more they have to gain and the more the rest of us have to lose.
Secondly, BlackCat is thought to have been rebranded from a previous ransomware group, meaning it will already have connections to systems in the game. The Fendr utility is specifically what organizations must protect themselves from. This is what BlackCat uses to exfiltrate data from infected infrastructure. This suggests a resurfacing of old ransomware attack groups, such as the BlackMatter faction (also known as ExMatter) who were, the only known gang to utilize this tool. For lateral movement within the victim’s network, BlackCat also makes use of the PsExec tool, Mimikatz, an infamous hacker software and Nirsoft software to steal network passwords and gain full access. With the three separate tools for different functions, anomalies may be dismissed, or see a lack of detection since this means less of each function to detect, and a shorter window to do so.
However, it is worth noting that depending on the partner player in each attack, the ransomware group will change the attack strategy. Thus, it is best to be ready.
On a technical level, BlackCat emphasizes and exploits the following five vulnerabilities:
CVE-2016-0099 (High), CVE-2019-7481 (High), CVE-2021-31207 (High), CVE-2021-34473 (Critical), and CVE-2021-34523 (Critical). CVE-2021-34473 and CVE-2021-34523, found in Microsoft Exchange Server, both require immediate remediation. They are more dangerous due to the way these cause potential use in vulnerability chaining attacks, and because they have multiple known threat actor associations. The more access, the higher the risk.
Why is it important to have ransomware protection in my organization?
In the event of a ransomware attack, a company without any protection in place can find itself facing the music of many negative effects. In the event an organization is attacked by BlackCat, paying its ransom will mean company resources will be spent to retrieve critical business data from attackers. It also will show the attackers that this is a vulnerable target and that they may continue to negotiate the ransom if attacked again. However, should the organization refuse payment or acknowledge the ransomware attack, the organization could be handing its network over to cybercriminals, who could then leak sensitive data, which could turn into the organization’s reputation soiled, data leaked and lawsuits filed.
Even if the organization decides to cooperate, play things by the book and pay the ransom, there is still no guarantee that the systems will be released. The data is not safe in the hands of cybercriminals, who don’t come ready to guarantee that they won’t leak the data they’ve collected. With all of these uncertain scenarios, it is essential to have a mitigative cybersecurity plan. With the proper tools in place, organizations avoid being in the Catch-22 where they have to make that choice.
How can I protect my organization from BlackCat Ransomware and other ransomware attacks?
While there is no guarantee, certain tools can grant immunity from a ransomware attack, in the same way, a shot will boost immunity from a viral infection in the human body. It is best to have a proactive ransomware strategy that is customizable to your needs as an organization and will protect your data at all times in its lifecycle.
Protecting your organization from ransomware attacks required a three part strategy i.e. Prevention/detection solutions, Backup/recovery solutions, and equally important - data security that prevents exfiltration of unencrypted data. With prevention and detection tools enterprises can prevent or catch a portion of ransomware before it causes damage. With backup and recovery tools organizations can bring systems back up after an attack without giving into ransom demands. The third one is critically important because it ensures that exfiltrated data cannot be used to extort victims, their customers, partners, employees and board members!
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.