Blackcat Ransomware

On April 19th of 2022, the FBI Cyber Division released a flash bulletin regarding the Blackcat ransomware-for-hire. This was met with mixed reactions - some found the ransomware to be of little concern, others made a case for tracking its progress. Either way, this ransomware-for-hire has been around far longer (in internet terms) than the bulletin may have some believe, having been first seen in September 2021. Some elements of the ransomware are more concerning than others in the same category, but overall, this ransomware offers no more significant concerns to companies that can avoid it before a true infection takes hold.

Malware Traits of Blackcat Ransomware

One of the defining traits of Blackcat over other ransomware-for-hire is the fact that it is written in Rust. This can provide some better reliability, and it can make subverting detection mechanisms and targeting multiple operating systems easier, as Rust is cross-platform. Many of its developers have been associated with the Darkside/Blackmatter group, which also brings about the concern of dealing with experienced malware operators.

Blackcat starts by using previously compromised credentials for an initial foothold in the network. It targets Active Directory to spread via GPO, primarily working with Windows administrative tools for spread, outside connection, and disabling security features like antivirus.

This malware, after successfully gaining access to the target machine, beacons back data on the victim machine (host UUID). This information helps attackers identify the details of the compromised company and assists in the delivery of the ransom message to the victim. The ransomware targets virtual machines and snapshots, looking to escape containers, encrypt any possible persistence, and wipe out backups that weren’t carefully archived. It also searches through data hosted by cloud providers contracted to the target.

Catch the LogicHub Monthly Security Update on the 15th of every month at 10:00am PT/ 12:00pm ET.

As far as the actual ransom process goes, Blackcat group has adopted several of the more recently common practices when interacting with victims: threats to release small batches of data upon lack of payment, showing non-payers in a public ‘wall of shame’, and using contractors and customers to gain payment from victims. However, they also use some less common tactics, like threats of DDoS and discounts for fast payment, both of which play directly on a victim’s initial panic. Blackcat is also known for requesting large ransoms in the millions.

As with most ransomware-for-hire programs, Blackcat’s aim is to spread fast and hit hard before the dust clears, probably desiring to make off with the ill-gotten gains before law enforcement and researchers catch on.

Mitigations for Blackcat Ransomware

Thankfully, there are a few key mitigations for this malware already. Monitoring for known IOCs and generally suspicious Server Message Block (SMB) traffic is a first step that helps in understanding attempts against a target network in real time. Certain activities common to this malware (that are also useful for alerting) include:

  • ‘vssadmin’ shadow copy deletions
  • Recovery mode edits using ‘bcedit.exe’
  • Propagation via ‘psexec’
  • Use of anti-forensics tools like fileshredder
  • Collecting machine UUID via WMIC commands
  • Propagation via ‘net use’ command

Of course, more standard mitigations also apply, like the ones detailed in the FBI briefing:

  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system defined or recognized scheduled tasks for unrecognized “actions” (for example: review the steps each scheduled task is expected to perform).
  • Review antivirus logs for indications they were unexpectedly turned off.
  • Implement network segmentation.
  • Require administrator credentials to install software.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Use multifactor authentication where possible.
  • Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
  • Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update antivirus and anti-malware software on all hosts.
eBook: The Definitive Guide to AI and Automation Powered Detection and Response

Further Reading About Blackcat Ransomware

Brief assessment by Palo Alto Unit 42 threat research

FBI Flash Briefing

Early technical reporting on Blackcat ransomware when it was first seen as Noberus

LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.


Related Posts

September 13, 2022 Kumar Saurabh

Why No Code Solutions Are a Double-Edged Sword

Most out-of-the-box security automation is based on a simple logic — essentially, if “this”...

Learn More

August 16, 2022 Willy Leichter

Understanding MDR, XDR, EDR and TDR

A program with proper threat detection and response (TDR) has two key pillars: understanding the...

Learn More

August 9, 2022 Willy Leichter

Intuition vs. Automation: What Man and Machine Bring to Data Security

Cybersecurity experts Colin Henderson and Ray Espinoza share their take on the automation-driven...

Learn More

August 2, 2022 Anthony Morris

Using AI/ML to Create Better Security Detections

The blue-team challenge Ask any person who has interacted with a security operations center (SOC)...

Learn More

July 26, 2022 Willy Leichter

How to Select the Right MDR Service

It can be difficult to understand the differences between the various managed detection and...

Learn More

July 21, 2022 Willy Leichter

The Evolving Role of the SOC Analyst

As the cyber threat landscape evolves, so does the role of the security operations center (SOC)...

Learn More

July 19, 2022 Kumar Saurabh

Life, Liberty, and the Pursuit of Security

As cyber threats evolve, organizations of all sizes need to ramp up their security efforts....

Learn More

July 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: July 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

July 12, 2022 Willy Leichter

Security Tools Need to Get with the API Program

No cloud API is an island The evolution of cloud services has coincided with the development of...

Learn More

July 6, 2022 Willy Leichter

Why the Rush to MDR?

LogicHub recently published a survey conducted by Osterman Research, looking at changing trends and...

Learn More