Attivo Networks Blogs

BlackCat ransomware on the Rise

Towards the end of last year in December 2021, the world saw the emergence of an apparently new and highly advanced ransomware op called ALPHV or BlackCat, which is now claimed to be responsible for a cyberattack on two oil companies in the EMEA region.

Commenting on this latest development the chief security advocate at Attivo Networks, Carolyn Crandall said “The ALPHV BlackCat ransomware is extremely sophisticated because it is human-operated and command-line driven, which makes it hard for traditional detection tools to accurately alert on these incursions. BlackCat is known to use a variety of encryption modes, moves laterally, and gains administrative privileges to spread between computers, encrypt other devices, and wipe out information to prevent recovery. This group also known to steal data before encrypting devices and publishing it on data leak sites for triple-extortion.

Compromising Active Directory has become the default attack vector for ransomware attacks and was undoubtedly leveraged by this ransomware to gain the domain control they needed. Active Directory is the most commonly used identity platform by businesses and, if compromised, gives attackers the complete control they seek to escalate privileges, disable security tools, move laterally in the organization, and steal valuable data. Protection of Active Directory is a security gap that is not currently addressed by EDR solutions or identity access management solutions focused on providing access instead of denying it. To truly protect Active Directory, organizations need to employ a multipronged approach which includes hardening, detecting reconnaissance, and preventing domain compromise. Newer Identity Detection and Response (IDR) tools have become must-have security stack staples for delivering visibility and detection for credential theft and misuse and attempts to enumerate Active Directory.

An attack on Active Directory works by attackers discovering privileged accounts and then stealing credentials like passwords, hashes, and Kerberos tickets or by performing brute force attacks like password spray. Once an attacker compromises higher privileges or finds a vulnerability in Active Directory, they use techniques like Golden Ticket attack, Silver Ticket attack, and Domain Replication to take over the AD. Once this is in action, attackers can easily compromise the systems it manages, install backdoors, change security policies, and rapidly deploy the ransomware.”

Read the original comment on Security MEA.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

3 × 2 =

Ready to find out what’s lurking in your network?

Scroll to Top