FBI: BlackCat ransomware scratched 60-plus orgs
The BlackCat ransomware gang, said to be the first-known ransomware group to successfully break into networks with Rust-written malware, has attacked at least 60 organizations globally as of March, according to the FBI.
BlackCat, also known as ALPHV, is a relatively new group of cybercriminals that operates a Windows ransomware-as-a-service. But while it only appeared on the ransomware crime scene in November 2021, security researchers and federal law enforcement have linked its developers and money launderers to the notorious Darkside/Blackmatter crime rings, “indicating they have extensive networks and experience with ransomware operations,” the FBI said in a security alert this week.
In earlier analysis, security researchers at Cisco Talos and Palo Alto Networks Unit 42 also noted BlackCat’s preference for Rust, with Unit 42 saying the gang was “one of the first, if not the first” of its kind to use this programming language.
The fact that the gang writes its ransomware in Rust, as opposed to C/C++, is interesting. Rust arguably has crucial safety measures built in, meaning the malware could be more stable and reliable. Like C/C++ toolchains, the Rust environment can be used to build programs for embedded devices, and integrate with other programming languages, said Attivo Networks Chief Security Advocate Carolyn Crandall.
The aforementioned FBI alert also includes BlackCat indicators of compromise and warned that ransomware typically leverages previously compromised user credentials to gain access to a victim’s system. “Initial deployment of the malware leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network,” it said.
After breaking in, the malware compromises Active Directory user and administrator accounts, and it uses Windows Task Scheduler to configure malicious group policy objects to deploy ransomware. But before it executes the ransomware, BlackCat steals a victim’s data, including information from cloud providers.
Read the full article by Jessica Lyons Hardcastle on The Register website.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise