The BlackCat ransomware gang, known for being the first to use ransomware written in the Rust programming language, has compromised at least 60 organizations worldwide since March 2022, the Federal Bureau of Investigation (FBI) says in a new alert.
BlackCat, which also goes by the name ALPHV, is a relatively new ransomware-as-a-service gang that security researchers believe is related to the more established BlackMatter (aka Darkside) ransomware gang that hit US fuel distributor Colonial Pipeline last May.
BlackCat appeared in November 2021 and was created by compromise experts or ‘access brokers’ that have sold access to multiple RaaS groups, including BlackMatter, according to Cisco’s Talos researchers.
SEE: These are the problems that cause headaches for bug bounty hunters
As ZDNet reported in February, BlackCat has hit several high-profile companies since December, including Swiss airport management service Swissport and two German oil suppliers.
While much of the group’s efforts have been focused on striking several European critical infrastructure firms, Cisco notes in a March report that more than 30% of BlackCat compromises have targeted US firms.
“As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using Rust, considered to be a more secure programming language that offers improved performance and reliable concurrent processing,” the FBI says in its alert detailing BlackCAT/ALPHV indicators of compromise.
“BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/BlackMatter, indicating they have extensive networks and experience with ransomware operations,” it continues.
The BlackCat gang uses previously compromised user credentials to gain initial access to the victim’s system. The group then compromises Microsoft Active Directory user and administrator accounts and uses the Windows Task Scheduler to configure Group Policy Objects to deploy the ransomware.
BlackCat also uses legitimate Windows tools – such as Microsoft Sysinternals, as well as PowerShell scripts – to disable security features in anti-malware tools, launch ransomware executables including on MySQL databases, and copy ransomware to other locations on a network.
The group practices double extortion by stealing data prior to encrypting it in order to threaten victims with a leak in the event they don’t pay a ransom demand.
Cisco said it was unlikely the BlackCat gang or affiliates were using an Exchange flaw. However, Trend Micro researchers last week claimed to have identified BlackCat exploiting the Exchange bug CVE-2021-31207 during an investigation. That was one of the ProxyShell Exchange bugs discovered in mid-2021.
BlackCat has versions that work on Windows and Linux, as well as VMware’s ESXi environment, notes Trend Micro.
“In this incident, we identified the exploitation of CVE-2021-31207. This vulnerability abuses the New-MailboxExportRequest PowerShell command to export the user mailbox to an arbitrary file location, which could be used to write a web shell on the Exchange Server,” the firm said.
SEE: Google: We’re spotting more zero-day bugs than ever. But hackers still have it too easy
The Cybersecurity and Infrastructure Security Agency is urging organizations to review the FBI’s alert.
The FBI is seeking information from the public about BlackCat compromises. It wants “any information that can be shared, to include IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.”
As Windows Task Scheduler is commonly used by attackers to hide malicious activity within seemingly normal admin tasks, the FBI recommends organizations review Task Scheduler for unrecognized scheduled tasks, as well as to check domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.