One of the defining traits of Blackcat over other ransomware-for-hire is the fact that it is written in Rust. This can provide some better reliability, and it can make subverting detection mechanisms and targeting multiple operating systems easier, as Rust is cross-platform. Many of its developers have been associated with the Darkside/Blackmatter group, which also brings about the concern of dealing with experienced malware operators.
Blackcat starts by using previously compromised credentials for an initial foothold in the network. It targets Active Directory to spread via GPO, primarily working with Windows administrative tools for spread, outside connection, and disabling security features like antivirus.
This malware, after successfully gaining access to the target machine, beacons back data on the victim machine (host UUID). This information helps attackers identify the details of the compromised company and assists in the delivery of the ransom message to the victim. The ransomware targets virtual machines and snapshots, looking to escape containers, encrypt any possible persistence, and wipe out backups that weren’t carefully archived. It also searches through data hosted by cloud providers contracted to the target.
As far as the actual ransom process goes, Blackcat group has adopted several of the more recently common practices when interacting with victims: threats to release small batches of data upon lack of payment, showing non-payers in a public ‘wall of shame’, and using contractors and customers to gain payment from victims. However, they also use some less common tactics, like threats of DDoS and discounts for fast payment, both of which play directly on a victim’s initial panic. Blackcat is also known for requesting large ransoms in the millions.
As with most ransomware-for-hire programs, Blackcat’s aim is to spread fast and hit hard before the dust clears, probably desiring to make off with the ill-gotten gains before law enforcement and researchers catch on.
Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system defined or recognized scheduled tasks for unrecognized “actions” (for example: review the steps each scheduled task is expected to perform).
Review antivirus logs for indications they were unexpectedly turned off.
Implement network segmentation.
Require administrator credentials to install software.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
Use multifactor authentication where possible.
Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
Implement the shortest acceptable timeframe for password changes.