Microsoft has uncovered new tactics used by BlackCat ransomware affiliates in their campaign to extort money from victims. The hackers are now targeting Microsoft Exchange servers using exploits aimed at unpatched vulnerabilities, which gives them greater access and control over an organization’s sensitive information.
The BlackCat ransomware is a fascinating case that reflects the growth of “ransomware-as-service” gig economy. RaaS is infamous for its unconventional programming language (Rust), which is capable of targeting various devices and users, including seasoned ones. Once malware is installed, it encrypts data and enables attackers to demand payment.
The ransomware affiliate model itself is complex, but can be summarized by the following players:
- RaaS operators: develop and lease out ransomware tools
- Initial access brokers: conduct and sustain network breaches
- RaaS affiliates: extract data and deploy ransomware strikes
The complexity of the BlackCat model leads to a variation in how BlackCat enters target organizations’ networks as a RaaS payload - depending on which affiliate deploys it. Such diversification in BlackCat’s tactics, techniques, and procedures makes it difficult for organizations to detect and defend against BlackCats since each attack is unique. Attacks are already on the rise, as seen in a recent incident against the Austrian state, Carinthia in which a ransomware gang demanded $5M.
“The BlackCat ransomware has been associated with several RaaS affiliate groups and deployed through varying entry points and TTPs. No two BlackCat “lives” or deployments might look the same, so defenses should focus on preventing end-to-end attack chains”, Microsoft Security Intelligence tweeted.
The recent attack on Carinthia has seriously obstructed government services such as issuing passports and tickets for traffic violations. The head press office of Carinthia stated that the issue occurred because of an “IT system failure” prompted by a “hacker attack. Consequently, the attack has forced the state to disconnect approximately 3,700 administrative systems as a precautionary measure.
Since the end of 2021, BlackCat ransomware has successfully encrypted the networks of at least 60 organizations, according to the FBI. The number of victims remains unknown. More than 480 samples have been submitted on the ID-Ransomware platform between November 2021 and June 2022. The FBI has urged admins to share related case data with their local FBI Cyber Squad as soon as they identify a BlackCat activity inside their networks.
Tracking down and identifying the culprits behind this ransomware is not an easy task. However, there is some helpful information that could help identify and report them. BlackCat attacks typically include IP logs that show callbacks from foreign IP addresses. Some of the attacks also include Bitcoin or Monero address transactions as well as transaction IDs. If you suspect an attack, it is strongly recommended to report it. As cybercrime becomes more organized, it is imperative to promptly identify arising threats and curb their growth.
Subscribe to the Trusted Tech Team Blog
Get the latest posts delivered right to your inbox