BlackCat emerges as one of the top ransomware threats - TechTarget

Getty Images/iStockphoto
With a string of recent high-profile attacks, the BlackCat ransomware gang is emerging as one of the major players in the threat landscape.
BlackCat, or “ALPHV,” an apparent descendant of the BlackMatter ransomware group, has operating since at least November and has launched major attacks such as the disruption of OilTanking GmbH, a German fuel company, in January and the February attack on aviation company Swissport. Most recently, the ransomware group has claimed responsibility for attacks against two universities in the U.S., Florida International University and the University of North Carolina A&T.
The FBI on Wednesday published a flash alert about BlackCat ransomware that included indicators of compromise. The FBI said the ransomware gang has attacked at least 60 organizations across the globe as of last month, often using “previously compromised user credentials” to gain access to victims’ networks.
Matthew Radolec, senior director of incident response and cloud operations at Varonis, told SearchSecurity that most of BlackCat’s attacks come from the increasingly common ransomware as a service (RaaS) model.
“If we if we look at 2021 to today, we do have a change that was started by REvil,” Radolec said. “This concept of ransomware as a service is gaining in popularity and I think that is one of the fundamental differences. We’re talking about people that are creating a toolkit, and they are encouraging and recruiting operators almost like a SaaS company; they are offering a ransomware-as-a-service toolkit to deliver your own ransomware where they create the software for you.”
While the group has not claimed the same volume of victims as other ransomware gangs, BlackCat has been allegedly responsible for some of the most devastating ransomware attacks of the last several months.
According to threat detection vendor Cybereason, BlackCat consistently uses a double extortion approach and has at times implemented triple extortion via the threat of a DDoS attack.
As more groups like REvil and Lapsus$ continue to be hurt by arrests, Radolec sees greater opportunities for BlackCat and other RaaS groups.
“[The arrests] are definitely showing an increase in enforcement, but from my perspective and in our prediction, that would actually lead to more ransomware as a service, because you have this kind of degree of separation between the actual crime as it would be committed in most jurisdictions,” Radolec said. “If you look at the U.S., there’s the Computer Fraud and Abuse Act, which is what specifically outlines that running the ransomware and running the attack tools on a non-authorized environment is the crime, whereas the actual development of malware isn’t so black and white in U.S. law.”
Radolec said BlackCat operators are likely to be less known than the cybercriminals behind other notorious ransomware groups. In addition, the RaaS operation gives the operators a “sustainable model” that puts distance between them and their affiliates.
“If they keep developing and implementing a toolkit, there’s a degree of separation from them and actually carrying out the attack, with the exception of the money laundering part,” he said.
The recent ransomware attacks by BlackCat have put the group on the radar of cybersecurity analysts like Cybereason and Kaspersky Lab, which have each released a report in recent weeks analyzing the group.
Early on in both reports, the researchers identify one of the key aspects of BlackCat that makes them unique from other ransomware groups and effective in deploying their malware.
While every ransomware group varies when it comes to the type of code they use, BlackCat uses the programming language Rust, which is used by few others.
According to Cybereason, “because of Rust’s emphasis on performance, the process of encryption is very fast, and in addition, Rust is cross-platform, which makes it easier to create variants for both Windows and Linux.”
Radolec also took note of the Rust language being used by BlackCat.
“The advantage of Rust is it compiling Windows and Linux binaries,” Radolec said. “If you were building software, there’s an advantage to you doing it because more people can use it. With ransomware-as-a-service gangs, I would predict the use of more Rust, more flexible code than something like Objective C or Visual Basic, which would be pure Microsoft ecosystem.”
Another similarity in the reports on BlackCat was that both Cybereason and Kaspersky pointed out the links between BlackCat and the BlackMatter ransomware gang. The BlackMatter group said on its website in November that it would be disbanding its operations, but researchers have found connections between the two groups.
According to CISA, BlackMatter posed a significant threat to the U.S. as the group repeatedly targeted critical infrastructure in the country like in the Colonial Pipeline attack.
While Cybereason pointed to BlackCat’s own confirmation of its relation to BlackMatter, Kaspersky found a unique connection between the two groups and their code. During its examination of the ransomware gang, the Kaspersky team found evidence of an exfiltration malware called Fendr.
According to Kaspersky’s report, this tool, which has been slightly modified by BlackCat, has only ever been found in BlackMatter ransomware.
While Cybereason did not discuss the Fendr code, its researchers did point out a connection they found between BlackCat and another ransomware gang.
Cybereason’s Nocturnus research team found many similarities between BlackCat’s code and infrastructure and that of LockBit. The report describes how each group uses the similar code.
“The profiler variants which are linked to LockBit use almost the same code as the BlackCat launcher, except for slight variations,” the Cybereason report said. “The only difference in functionality is that they do not attempt to download anything, they only collect profiling data, with the difference being that instead of collecting the machine’s ‘Windows UUID’, the profiler checks if LockBit is already installed on the machine.”
Kurt Baumgartner, Kaspersky’s principal security researcher, told SearchSecurity that groups like BlackCat and LockBit are going to have to continue to adapt their ransomware attack and monetization strategies going forward.
“These groups have been increasingly successful at monetizing their intrusions for the past few years, while law enforcement has been chipping away at the various participants — ‘underground’ exchange forums and access brokers, malware developers and ransomware operators,” Baumgartner said. “It seems at some point, payment schemes will be redeveloped in the next couple of years.”
Security and privacy remain a stumbling block for cloud computing, according to information experts at the Trust in the Digital …
Amazon Web Services has added multifactor authentication to its WorkSpaces cloud desktop service, the first step in a larger …
At Black Hat 2014, a researcher showed how AWS cloud security flaws and misconfigurations can have devastating consequences for …
As network environments evolve and grow more complex, enterprises are realizing their need for unified network management. But is…
Under the Linux Foundation, SONiC could get enterprise features that make the open source network operating system more useful …
Device42 plans to release on May 30 Insights+ to provide customers with an in-product tool for aggregating, analyzing and …
Keiki, a product development company, uses remote collaboration tools and cloud resources to continue operations and keep its …
Learn about 10 of the most important soft skills — from communication to empathy — and why they are critical to successful …
Interested parties are weighing in on the SEC’s proposed climate risk disclosure rule, which is available for comment until May …
Organizations may look at Windows 365 as a clear improvement from an administrative perspective, but a traditional Windows …
Microsoft has drawn antitrust scrutiny for rules that make it more expensive to run Windows and Office on rivals’ clouds. The …
Microsoft has aimed its latest Windows 11 features at helping IT staff automate updates, secure corporate data and assist workers…
Flexera’s new ‘State of the Cloud Report’ puts Azure ahead of AWS for the first time as enterprise IT pros’ preferred public …
With Terraform, developers can lean on familiar coding practices to provision the underlying resources for their applications. …
Admins can use AWS CloudFormation templates and resource stacks to deploy an EC2 instance using an infrastructure-as-code …
SAP has announced first-quarter revenue of more than €7.1bn, and the Ukraine war is projected to have a €300m impact for 2022
MEPs’ joint report on European Artificial Intelligence Act sets out limited ban on predictive policing systems alongside a raft …
For the fourth year in a row, software bootcamp Makers is looking for up-and-coming women in the software development scene to …
All Rights Reserved, Copyright 2000 – 2022, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info

source

Leave a Reply

Your email address will not be published. Required fields are marked *