Attivo Networks Blogs

FBI: BlackCat ransomware scratched 60-plus orgs

The BlackCat ransomware gang, said to be the first-known ransomware group to successfully break into networks with Rust-written malware, has attacked at least 60 organizations globally as of March, according to the FBI.

BlackCat, also known as ALPHV, is a relatively new group of cybercriminals that operates a Windows ransomware-as-a-service. But while it only appeared on the ransomware crime scene in November 2021, security researchers and federal law enforcement have linked its developers and money launderers to the notorious Darkside/Blackmatter crime rings, “indicating they have extensive networks and experience with ransomware operations,” the FBI said in a security alert this week. 

In earlier analysis, security researchers at Cisco Talos and Palo Alto Networks Unit 42 also noted BlackCat’s preference for Rust, with Unit 42 saying the gang was “one of the first, if not the first” of its kind to use this programming language.

The fact that the gang writes its ransomware in Rust, as opposed to C/C++, is interesting. Rust arguably has crucial safety measures built in, meaning the malware could be more stable and reliable. Like C/C++ toolchains, the Rust environment can be used to build programs for embedded devices, and integrate with other programming languages, said Attivo Networks Chief Security Advocate Carolyn Crandall.

The aforementioned FBI alert also includes BlackCat indicators of compromise and warned that ransomware typically leverages previously compromised user credentials to gain access to a victim’s system. “Initial deployment of the malware leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network,” it said. 

After breaking in, the malware compromises Active Directory user and administrator accounts, and it uses Windows Task Scheduler to configure malicious group policy objects to deploy ransomware. But before it executes the ransomware, BlackCat steals a victim’s data, including information from cloud providers.

Read the full article by Jessica Lyons Hardcastle on The Register website.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free

FAST AND EASY

Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial

GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY

  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise

RSS

Leave a Comment

Your email address will not be published.

sixteen − 1 =

Ready to find out what’s lurking in your network?

Scroll to Top