Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
Microsoft details this ransomware-as-a-service
Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.
The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.
In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.
"The RaaS affiliate model consists of multiple players: access brokers, who compromise networks and maintain persistence; RaaS operators, who develop tools; and RaaS affiliates, who perform other activities like moving laterally across the network and exfiltrating data before ultimately launching the ransomware payload," the researchers wrote. "Thus, as a RaaS payload, how BlackCat enters a target organization's network varies, depending on the RaaS affiliate that deploys it."
RaaS is becoming increasingly popular because – as with other software-as-a-service offerings – the users don't have to be particularly skilled to run a ransomware campaign. They only need to pay for the ransomware and deploy it.
The RaaS operator's use of a modern programming language like Rust "exemplifies a recent trend where threat actors switch to languages like Rust or Go for their payloads in their attempt to not only avoid detection by conventional security solutions but also to challenge defenders who may be trying to reverse engineer the said payloads or compare them to similar threats," the Microsoft analysts wrote.
"BlackCat can target and encrypt Windows and Linux devices and VMWare instances. It has extensive capabilities, including self-propagation configurable by an affiliate for their usage and to environment encountered."
- Inside the RSAC expo: Buzzword bingo and the bear in the room
- HelloXD ransomware bulked up with better encryption, nastier payload
- Emotet malware gang re-emerges with Chrome-based credit card heistware
- It's 2022 and there are still malware-laden PDFs in emails exploiting bugs from 2017
BlackCat has risen fast in the hyperactive ransomware space. According to Palo Alto Networks' Unit 42, a month after surfacing, BlackCat (also known as ALPHV) had the seventh-most victims listed on its leak site among ransomware groups the threat hunting team tracks. Victims range from retail and transportation companies to telcos, pharmaceutical and insurance firms.
In March, Cisco's Talos threat intelligence group found links to the BlackMatter/DarkSide ransomware group that was responsible for last year's attack on Colonial Pipeline. A month later, the FBI issued a warning about the RaaS group, saying that it had attacked at least 60 organizations around the world. It also linked many of the developers and money launderers for BlackCat to BackMatter/Darkside.
Now Microsoft is seeing two other highly active ransomware groups turn to BlackCat. One is Dev-0237, which alternates between payloads and has used Ryuk, Conti and Hive in the past before hopping onto BlackCat in March.
The other, DEV-0504, has used at least six RaaS payloads since 2020, including BlackCat most recently.
Some RaaS affiliates regularly switch payloads to ensure business continuity and to improve profits. However, that also makes it more difficult to detect related threats, According to the threat analysts. DEV-2037 – also known as FIN12 – likely switched to BlackCat because of discussion around Hive's decryption methods.
The Microsoft researchers also detailed two recent BlackCat incidents to illustrate the ways affiliates differ in how they use the ransomware. In one, the threat actors exploited an unpatched Exchange server to get into the victim's system, while compromised credentials were used in the second attack to gain initial entry via an internet-facing remote desktop server.
There also were differences the tools used to move laterally through the network and to store and dump credentials.
"These actors and groups have different tactics, techniques, and procedures (TTPs)," the researchers wrote. "Thus, no two BlackCat 'lives' or deployments might look the same. Indeed, based on Microsoft threat data, the impact of this ransomware has been noted in various countries and regions in Africa, the Americas, Asia, and Europe." ®