Attivo Networks Blogs

What is BlackCat and How to Stop It.

What is BlackCat and How to Stop It.

Authored by: Carolyn Crandall, Chief Security Advocate, Attivo Networks – In November 2021, security professionals first observed a new strain of ransomware known as BlackCat (or ALPHV), targeting organizations across multiple industries worldwide. The group running BlackCat operates within the “ransomware-as-a-service” (RaaS) business model like other common ransomware groups. They effectively license their software to cybercriminals to use in ransomware attacks for a percentage of the final ransom payment.

BlackCat has proven to be highly virulent and has already victimized dozens of enterprises across the globe, demanding up to $14 million in ransom. Organizations worldwide need to protect themselves from this new threat—and the first step is understanding what BlackCat is and how it operates.

How BlackCat Operates

Today’s ransomware groups are becoming more innovative. Like REvil and DarkSide, many have adopted a “double extortion” method. These groups don’t just steal or encrypt data—they threaten to expose that data on the dark web if victims do not meet their demands. BlackCat takes this a step further, engaging in “triple extortion” by threatening to launch distributed denial-of-service (DDoS) attacks if victims do not give in to their demands. This added threat makes it more appealing to potential affiliates—as does the fact that BlackCat promises a higher percentage of the payout to those who use it.

BlackCat is a particularly sophisticated ransomware strain because it is both human-operated and command-line driven, making it difficult for traditional detection tools to alert accurately on its presence within a system. BlackCat is known to use a variety of different encryption methods and has proven adept at gaining access to networks and moving within them. To accomplish this, BlackCat almost certainly targets Active Directory (AD). Compromising AD is the default attack vector for modern ransomware attacks, giving attackers total control to move laterally within the organization, gain administrative privileges, disable security tools, and identify new information to steal, encrypt, or delete to prevent recovery.

Defending Against BlackCat

Protecting Active Directory is the most effective way to prevent BlackCat from proliferating within the network and accomplishing its goals. Unfortunately, AD sits in a dangerous security gap. Today’s Endpoint Detection and Response (EDR) solutions do not address AD protection, and Identity Access Management (IAM) solutions are focused primarily on providing access rather than restricting it. Effectively defending AD requires a multipronged approach that includes hardening, detecting reconnaissance activity and other indicators of compromise (IoCs), and preventing domain compromise. Identity Detection and Response (IDR) is a relatively new cybersecurity category, but it has quickly become essential. IDR tools help fill the gap left by EDR and IAM, delivering network visibility and the ability to detect credential theft and misuse as well as attempts to enumerate Active Directory.

With ransomware like BlackCat spreading, Identity Detection and Response tools become critical components for a business’s security stack. IDR solutions can secure credentials and AD objects while reducing the attack surface through exposure visibility tools. These can help defenders remove exposures that an attacker would otherwise attempt to leverage. Live attack detection controls for AD are also critical, enabling defenders to identify attack activities such as mass account changes, password spray attacks, dangerous delegation, or domain replications activities. The correct identity security tools can make it impossible for the attacker to move about the network without detection—regardless of the code or techniques they may be using.

The Attivo Networks identity security portfolio provide these capabilities. The ADAssessor solution reduces the Active Directory attack surface by identifying exposures for remediation, such as exposed ACLs, incorrect settings, or insecure parameters. The ADSecure solution provides live attack detection from endpoints and domain controllers, while the ThreatPath solution reduces the identity attack surface at the endpoints.

The Endpoint Detection Net (EDN) suite detects ransomware attacks via credential theft and behavioral analysis. It monitors for IoCs like file encryption, entropy changes, registry changes, process or service termination, and others and alerts when it detects such activity. The suite can mitigate malicious activities by blocking all input-output operations and terminating the process. It can also provide volume backup of endpoint data and prevent ransomware from deleting backup files created using Windows VSS, which is particularly important as attackers target backups with increased regularity. Additionally, the EDN DataCloak function prevents ransomware from accessing critical data. It hides and prevents attackers from seeing or accessing information like files, folders, and storage locations, making their lives much more difficult. The right security tools can frustrate an attacker looking for a quick score—and that is often enough to convince them to look elsewhere for an easier victim.

Defend Against Ransomware by Closing Known Security Gaps

Attackers are constantly innovating. There will always be new ransomware tools designed to circumvent endpoint defense systems and evade the notice of IAM tools. Since it is impossible to stop 100% of attacks, the best protection (beyond not clicking suspicious links or enabling macros, of course) is to implement security solutions that can detect lateral movement and other potential attack activities within the network itself. Attackers will always use reconnaissance to identify high-value targets and steal the credentials they need to escalate their privileges. They will also continue to exploit Active Directory to gain the control they need to encrypt systems, change security settings, delete backups, and cover their tracks. Preventing attackers from moving between systems and protecting AD is the best defense against BlackCat and other forms of ransomware—and that is unlikely to change anytime soon. Traditional security controls do not provide this level of protection—but IDR offers enterprises a new way to thwart attackers hoping to exploit one of today’s most common security gaps.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free

FAST AND EASY

Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial

GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY

  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise

RSS

Leave a Comment

Your email address will not be published.

18 + three =

Ready to find out what’s lurking in your network?

Scroll to Top