May 9, 2022 Tessa Mishoe
On April 19th of 2022, the FBI Cyber Division released a flash bulletin regarding the Blackcat ransomware-for-hire. This was met with mixed reactions - some found the ransomware to be of little concern, others made a case for tracking its progress. Either way, this ransomware-for-hire has been around far longer (in internet terms) than the bulletin may have some believe, having been first seen in September 2021. Some elements of the ransomware are more concerning than others in the same category, but overall, this ransomware offers no more significant concerns to companies that can avoid it before a true infection takes hold.
One of the defining traits of Blackcat over other ransomware-for-hire is the fact that it is written in Rust. This can provide some better reliability, and it can make subverting detection mechanisms and targeting multiple operating systems easier, as Rust is cross-platform. Many of its developers have been associated with the Darkside/Blackmatter group, which also brings about the concern of dealing with experienced malware operators.
Blackcat starts by using previously compromised credentials for an initial foothold in the network. It targets Active Directory to spread via GPO, primarily working with Windows administrative tools for spread, outside connection, and disabling security features like antivirus.
This malware, after successfully gaining access to the target machine, beacons back data on the victim machine (host UUID). This information helps attackers identify the details of the compromised company and assists in the delivery of the ransom message to the victim. The ransomware targets virtual machines and snapshots, looking to escape containers, encrypt any possible persistence, and wipe out backups that weren’t carefully archived. It also searches through data hosted by cloud providers contracted to the target.
Catch the LogicHub Monthly Security Update on the 15th of every month at 10:00am PT/ 12:00pm ET.
As far as the actual ransom process goes, Blackcat group has adopted several of the more recently common practices when interacting with victims: threats to release small batches of data upon lack of payment, showing non-payers in a public ‘wall of shame’, and using contractors and customers to gain payment from victims. However, they also use some less common tactics, like threats of DDoS and discounts for fast payment, both of which play directly on a victim’s initial panic. Blackcat is also known for requesting large ransoms in the millions.
As with most ransomware-for-hire programs, Blackcat’s aim is to spread fast and hit hard before the dust clears, probably desiring to make off with the ill-gotten gains before law enforcement and researchers catch on.
Thankfully, there are a few key mitigations for this malware already. Monitoring for known IOCs and generally suspicious Server Message Block (SMB) traffic is a first step that helps in understanding attempts against a target network in real time. Certain activities common to this malware (that are also useful for alerting) include:
Of course, more standard mitigations also apply, like the ones detailed in the FBI briefing:
eBook: The Definitive Guide to AI and Automation Powered Detection and Response
Brief assessment by Palo Alto Unit 42 threat research
FBI Flash Briefing
Early technical reporting on Blackcat ransomware when it was first seen as Noberus
LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.
May 20, 2022 Willy Leichter
Demystifying the technology with case studies of AI security in action Many automation tools, such...
Learn MoreMay 17, 2022 Willy Leichter
While we’ve been talking about and imagining artificial intelligence for years, it only has...
Learn MoreMay 15, 2022 Tessa Mishoe
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...
Learn MoreMay 9, 2022 Tessa Mishoe
Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...
Learn MoreMay 6, 2022 Kumar Saurabh
LogicHub’s unique decision automation technology can build clients the ultimate security playbook...
Learn MoreMay 3, 2022 Kumar Saurabh
Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...
Learn MoreApril 29, 2022 Tessa Mishoe
Introduction Within the realm of security, there are many different toolsets and opinions on what...
Learn MoreApril 27, 2022 Willy Leichter
SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...
Learn MoreApril 21, 2022 Willy Leichter
When updating your systems from a pure Security Information Event Management (SIEM), choosing the...
Learn MoreApril 15, 2022 Tessa Mishoe
Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...
Learn More© 2017-2022 LogicHub®
All Rights Reserved
Privacy Policy
Terms of Use
Sitemap
© 2017-2022 LogicHub®
All Rights Reserved
Privacy Policy
Terms of Use
Sitemap