Our focus on a series of high profile ransomware attacks continues with today’s post on the impact and threats from BlackCat. Along with JanelaRAT and Lockbit 3.0, BlackCat, which was first observed in November 2021, remains one of the most devastating ransomware strains active today. Let’s examine why BlackCat does so much damage, and how ECI is helping clients stay ahead of this threat with advanced threat hunting and cybersecurity protections.
BlackCat is a Dangerous and Persistent Threat.
Nearly two years after it first appeared, BlackCat, also known as ALPHV, continues to wreak havoc by utilizing compromised user credentials obtained from previous breaches to gain initial access to a victim's system. Once the ransomware establishes a foothold, it compromises Active Directory user and administrator accounts while using PowerShell scripts combined with Cobalt Strike to disable security features within the victim's network. BlackCat/ALPHV then leverages the Windows Task Scheduler to set up malicious Group Policy Objects (GPOs) to deploy the ransomware.
Before executing the ransomware, BlackCat/ALPHV steals data from the victim, including information stored in cloud providers adjacent to where company or client data is hosted. Throughout, the ransomware is designed to persist on the infected system by creating registry entries and scheduled tasks, allowing BlackCat/ALPHV to maintain control of the system even after a reboot. Victims are left to ponder a ransomware note informing them that important files on their system have been encrypted and now carry the extension "${EXTENSION}."
Making matters worse, the ransom note also reveals that sensitive data from the victim's system has been downloaded and will be made public if they refuse to cooperate. This may include personal information of employees, such as CVs, driver's licenses and Social Security Numbers. Financial sector organizations are especially rich targets for BlackCat/ALPHV, since their sensitive data may also include confidential information on financial transactions, market trades and proprietary assets or operations.
Modern Defenses for a Modern Ransomware Threat
ECI’s threat hunters have closely scrutinized BlackCat/ALPHV ransomware and identified several critical Indicators of Compromise (IOCs) that can significantly contribute to the detection and mitigation of the malicious threat. Significantly, BlackCat/ALPHV is written in the Rust coding language to deploy its payload, which helps the ransomware evade detection by conventional security solutions that might not have the ability to analyze and parse binaries written in this relatively modern language.
Against this backdrop, ECI is helping clients mount a robust, multi-pronged defense effort to counter the sophisticated threat BlackCat/ALPHV poses. These include keeping client operating systems and software up-to-date with the latest security patches to prevent vulnerabilities that may be exploited by BlackCat/ALPHV ransomware; bolstering firewalls to block unauthorized network access and lateral movement; and administering both technology and people-focused security policies and procedures to minimize ransomware exposure.
Finally, given that many of our clients use Microsoft technology, ECI is using our advanced expertise as a Microsoft Gold Partner to assist clients that use Microsoft 365 Defender in tailoring this comprehensive solution specifically to the organization and its threat profile. This is essential to help detect and block attacks and their follow-on activities stemming from BlackCat/ALPHV’s use of Windows scripting techniques, Windows administrative tools and Microsoft Sysinternals tools during the compromise process.
Taken together, ECI’s collective efforts are helping financial sector clients guard against BlackCat/ALPHV as one of most devastating and persistent forms of ransomware today.
