FBI Warns of BlackCat Ransomware That Breached Over 60 Organisations Worldwide

The U.S. Federal Bureau of Investigation (FBI) is sounding the
alarm on the BlackCat ransomware-as-a-service (RaaS), which it said
victimized at least 60 entities worldwide between as of March 2022
since its emergence last November.

Also called ALPHV and Noberus ^[1], the ransomware is
notable for being the first-ever malware written in the Rust
programming language that’s known to be memory safe and offer
improved performance.

“Many of the developers and money launderers for BlackCat/ALPHV
are linked to DarkSide ^[2]/BlackMatter ^[3], indicating they have
extensive networks and experience with ransomware operations,” the
FBI said in an advisory ^[4]
published last week.

The disclosure comes weeks after twin reports from Cisco Talos ^[5]
and Kasperksy ^[6]
uncovered links between BlackCat and BlackMatter ransomware
families, including the use of a modified version of a data
exfiltration tool dubbed Fendr that’s been previously only observed
in BlackMatter-related activity.

“Aside from the developing advantages Rust offers, the attackers
also take advantage of a lower detection ratio from static analysis
tools, which aren’t usually adapted to all programming languages,”
AT&T Alien Labs pointed out ^[7]
earlier this year.

Like other RaaS groups, BlackCat’s modus operandi involves the
theft of victim data prior to the execution of the ransomware, with
the malware often leveraging compromised user credentials to gain
initial access to the target system.

In a BlackCat ransomware incident analyzed ^[8]
by Forescout’s Vedere Labs, an internet-exposed SonicWall firewall
was penetrated to gain initial access to the network, before moving
to and encrypting a VMware ESXi virtual farm. The ransomware
deployment is said to have taken place on March 17, 2022.

The law enforcement agency, besides recommending victims to
promptly report ransomware incidents, also said it doesn’t
encourage paying ransoms as there is no guarantee that this will
enable the recovery of encrypted files. But it did acknowledge that
victims may be compelled to heed to such demands to protect
shareholders, employees, and customers.

As recommendations, the FBI is urging organizations to review
domain controllers, servers, workstations, and active directories
for new or unrecognized user accounts, take offline backups,
implement network segmentation, apply software updates, and secure
accounts with multi-factor authentication.

References

^{^}
Noberus
(symantec-enterprise-blogs.security.com)
^{^}
DarkSide
(thehackernews.com)
^{^}
BlackMatter
(thehackernews.com)
^{^}
advisory
(www.cisa.gov)
^{^}
Cisco
Talos (thehackernews.com)
^{^}
Kasperksy
(thehackernews.com)
^{^}
pointed
out (cybersecurity.att.com)
^{^}
analyzed
(www.forescout.com)