Blackcat Ransomware

On April 19th of 2022, the FBI Cyber Division released a flash bulletin regarding the Blackcat ransomware-for-hire. This was met with mixed reactions - some found the ransomware to be of little concern, others made a case for tracking its progress. Either way, this ransomware-for-hire has been around far longer (in internet terms) than the bulletin may have some believe, having been first seen in September 2021. Some elements of the ransomware are more concerning than others in the same category, but overall, this ransomware offers no more significant concerns to companies that can avoid it before a true infection takes hold.

Malware Traits of Blackcat Ransomware

One of the defining traits of Blackcat over other ransomware-for-hire is the fact that it is written in Rust. This can provide some better reliability, and it can make subverting detection mechanisms and targeting multiple operating systems easier, as Rust is cross-platform. Many of its developers have been associated with the Darkside/Blackmatter group, which also brings about the concern of dealing with experienced malware operators.

Blackcat starts by using previously compromised credentials for an initial foothold in the network. It targets Active Directory to spread via GPO, primarily working with Windows administrative tools for spread, outside connection, and disabling security features like antivirus.

This malware, after successfully gaining access to the target machine, beacons back data on the victim machine (host UUID). This information helps attackers identify the details of the compromised company and assists in the delivery of the ransom message to the victim. The ransomware targets virtual machines and snapshots, looking to escape containers, encrypt any possible persistence, and wipe out backups that weren’t carefully archived. It also searches through data hosted by cloud providers contracted to the target.

Catch the LogicHub Monthly Security Update on the 15th of every month at 10:00am PT/ 12:00pm ET.

As far as the actual ransom process goes, Blackcat group has adopted several of the more recently common practices when interacting with victims: threats to release small batches of data upon lack of payment, showing non-payers in a public ‘wall of shame’, and using contractors and customers to gain payment from victims. However, they also use some less common tactics, like threats of DDoS and discounts for fast payment, both of which play directly on a victim’s initial panic. Blackcat is also known for requesting large ransoms in the millions.

As with most ransomware-for-hire programs, Blackcat’s aim is to spread fast and hit hard before the dust clears, probably desiring to make off with the ill-gotten gains before law enforcement and researchers catch on.

Mitigations for Blackcat Ransomware

Thankfully, there are a few key mitigations for this malware already. Monitoring for known IOCs and generally suspicious Server Message Block (SMB) traffic is a first step that helps in understanding attempts against a target network in real time. Certain activities common to this malware (that are also useful for alerting) include:

  • ‘vssadmin’ shadow copy deletions
  • Recovery mode edits using ‘bcedit.exe’
  • Propagation via ‘psexec’
  • Use of anti-forensics tools like fileshredder
  • Collecting machine UUID via WMIC commands
  • Propagation via ‘net use’ command

Of course, more standard mitigations also apply, like the ones detailed in the FBI briefing:

  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system defined or recognized scheduled tasks for unrecognized “actions” (for example: review the steps each scheduled task is expected to perform).
  • Review antivirus logs for indications they were unexpectedly turned off.
  • Implement network segmentation.
  • Require administrator credentials to install software.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Use multifactor authentication where possible.
  • Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
  • Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update antivirus and anti-malware software on all hosts.
eBook: The Definitive Guide to AI and Automation Powered Detection and Response

Further Reading About Blackcat Ransomware

Brief assessment by Palo Alto Unit 42 threat research

FBI Flash Briefing

Early technical reporting on Blackcat ransomware when it was first seen as Noberus


LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.

Blog

Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More