The FBI released a FLASH alert in April 2022 concerning BlackCat Ransomware. Between November 2021 and March 2022, the ransomware-as-a-service (RaaS) variant encrypted the networks of at least 60 entities worldwide.
The FBI warned that the group behind the malware, also known as ALPHV, is highly experienced with ransomware variations and customarily requests ransom payment of up to several million dollars in cryptocurrencies using Bitcoin or Monero.
The group provides their ransomware service to other attackers. Once a successful attack has been implemented by an affiliate, the BlackCat group takes over operations and negotiates the ransom for them, leveraging their experience to maximize the payout.
BlackCat offers select affiliates as much as 90% of the loot, one reason its presence is accelerating. BlackCat ransomware is known for targeting Windows, Linux, and VMware installments, but recently, they have expanded their target base to include Microsoft Exchange servers.
As a new approach to establishing a beachhead in a targeted network, BlackCat is now targeting unpatched Exchange servers to create an attack avenue as an entry point. Some of the CVEs that BlackCat has been confirmed to exploit include CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523.
BlackCat is self-propagating malware that automatically seeks out network-connected servers across the network using PsExec, a lightweight telnet utility to replicate itself. At the same time, the attackers can also move laterally cross the IT estate to steal credentials and exfiltrate data to be used as a backup extortion mechanism.
The exploitation takes place using an imported web shell dropped into the targeted Exchange server. Once deposited, the attackers can then use it as a base to drop other malicious tools and begin reconnaissance operations.
BlackCat first came on the scene in November of 2021, and was one of the first RaaS creators to use the Rust programming language to create their code. Rust is a low-level programming language, and using it makes it easier for the ransomware strain to evade detection.
Like many modernized ransomware strains, it seeks to subdue recovery efforts by deleting volume shadow copies, modifying the boot loader, and clearing server logs. The malware can also determine whether a domain user account has local admin privileges, making it easier to target privileged accounts and proliferate itself more efficiently.
If double extortion wasn’t enough to worry about, BlackCat has even utilized distributed-denial-of-service (DDoS) attacks as a third extortion method to ensure proper payment.
In addition, the group has taken the practice of posting stolen data on the Dark Web to a whole new level. The data is now indexed prior to publishing, offering victimized users the ability to search for their own data records. According to Brian Krebs, this tactic was recently done to a spa resort in which the published data included search buttons that employees and customers could use to search for their own data.
It’s been nearly 18 months since the first known ransomware incident involving an Exchange server was reported. It is imperative that Exchange admins keep their Exchange servers fully patched.
Unfortunately, thousands of unpatched Exchange servers remain in production, which means that BlackCat and other ransomware families will continue to exploit them. Of course, patching is only one aspect of the type of multilayer cybersecurity strategy that is needed to thwart this menacing threat.