The BlackCat ransomware gang, known for being the archetypal to usage ransomware written successful the Rust programming language, has compromised astatine slightest 60 organizations worldwide since March 2022, the Federal Bureau of Investigation (FBI) says successful a caller alert.
BlackCat, which besides goes by the sanction ALPHV, is simply a comparatively caller ransomware-as-a-service pack that information researchers judge is related to the much established BlackMatter (aka Darkside) ransomware pack that deed US substance distributor Colonial Pipeline past May.
BlackCat appeared successful November 2021 and was created by compromise experts oregon 'access brokers' that person sold entree to aggregate RaaS groups, including BlackMatter, according to Cisco's Talos researchers.
While overmuch of the group's efforts person been focused connected striking respective European captious infrastructure firms, Cisco notes successful a March report that much than 30% of BlackCat compromises person targeted US firms.
"As of March 2022, BlackCat/ALPHV ransomware arsenic a work (RaaS) had compromised astatine slightest 60 entities worldwide and is the archetypal ransomware radical to bash truthful successfully utilizing Rust, considered to beryllium a much unafraid programming connection that offers improved show and reliable concurrent processing," the FBI says successful its alert detailing BlackCAT/ALPHV indicators of compromise.
"BlackCat-affiliated menace actors typically petition ransom payments of respective cardinal dollars successful Bitcoin and Monero but person accepted ransom payments beneath the archetypal ransom request amount. Many of the developers and wealth launderers for BlackCat/ALPHV are linked to Darkside/BlackMatter, indicating they person extended networks and acquisition with ransomware operations," it continues.
The BlackCat pack uses antecedently compromised idiosyncratic credentials to summation archetypal entree to the victim's system. The radical past compromises Microsoft Active Directory idiosyncratic and head accounts and uses the Windows Task Scheduler to configure Group Policy Objects to deploy the ransomware.
BlackCat besides uses morganatic Windows tools – specified arsenic Microsoft Sysinternals, arsenic good arsenic PowerShell scripts – to disable information features successful anti-malware tools, motorboat ransomware executables including connected MySQL databases, and transcript ransomware to different locations connected a network.
The radical practices treble extortion by stealing information anterior to encrypting it successful bid to endanger victims with a leak successful the lawsuit they don't wage a ransom demand.
Cisco said it was improbable the BlackCat pack oregon affiliates were utilizing an Exchange flaw. However, Trend Micro researchers past week claimed to person identified BlackCat exploiting the Exchange bug CVE-2021-31207 during an investigation. That was one of the ProxyShell Exchange bugs discovered successful mid-2021.
BlackCat has versions that enactment connected Windows and Linux, arsenic good arsenic VMware's ESXi environment, notes Trend Micro.
"In this incident, we identified the exploitation of CVE-2021-31207. This vulnerability abuses the New-MailboxExportRequest PowerShell bid to export the idiosyncratic mailbox to an arbitrary record location, which could beryllium utilized to constitute a web ammunition connected the Exchange Server," the steadfast said.
The Cybersecurity and Infrastructure Security Agency is urging organizations to reappraisal the FBI's alert.
The FBI is seeking accusation from the nationalist astir BlackCat compromises. It wants "any accusation that tin beryllium shared, to see IP logs showing callbacks from overseas IP addresses, Bitcoin oregon Monero addresses and transaction IDs, communications with the menace actors, the decryptor file, and/or a benign illustration of an encrypted file."
As Windows Task Scheduler is commonly utilized by attackers to fell malicious enactment wrong seemingly mean admin tasks, the FBI recommends organizations reappraisal Task Scheduler for unrecognized scheduled tasks, arsenic good arsenic to cheque domain controllers, servers, workstations, and progressive directories for caller oregon unrecognized idiosyncratic accounts.