The Federal Bureau of Investigation (FBI) has warned of BlackCat ransomware-as-a-service (RaaS) which it believes has compromised at least 60 entities around the world since last November.
BlackCat has been recruiting new affiliates since late 2021 and targeting organisations across multiple sectors across the world, according to Varonis Threat Labs. It has actively recruited former REvil, BlackMatter, and DarkSide operators and increased its activity since November 2021. Varonis found that it offers lucrative affiliate payouts, up to 90%, and uses a Rust-based ransomware executable. The group's leak site also named over 20 victim organisations since January 2022, although the data security firm predicted that the total number of victims was likely to be greater.
The FBI released an alert earlier this month where it found that BlackCat, also known as ALPHV or Noberus, has compromised at least 60 entities worldwide through RaaS as of March 2022. It said it’s the first ransomware group to do so successfully using Rust, a programming language that offers high performance and improved safety features.
The advisory stated that the ransomware leverages previously compromised user credentials to gain initial access to the victim’s system. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware utilises Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware.
Ransomware and Microsoft 365 for business
What you need to know about reducing ransomware risk
The initial deployment of the malware leverages PowerShell scripts, along with Cobalt Strike, and disables security features within the victim’s network. The ransomware also uses Windows administrative tools and Microsoft Sysinternals tools during compromise. BlackCat/ALPHV steals victim data before the execution of the ransomware, including from cloud providers where company or client data was stored.
“BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount,” stated the FBI in the advisory. “Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.”
The agency is seeking any information that can be shared, including IP logs showing callbacks from foreign IP addresses, Bitcoin, or Monero addresses. It’s also searching for transaction IDs, communications with the threat actors, the decryptor file, and a sample of an encrypted file.
The law enforcement agency doesn’t recommend paying ransoms although it understands that some organisations may do so to protect shareholders, employees, and customers. Even if an organisation pays the ransom, the FBI has urged victims to report ransomware incidents to their local FBI office. It also suggested that organisations review their domain controllers, regularly backup data offline, and implement network segmentation.
