The number of hacking groups online keeps growing and there is a new ransomware collective to be aware of, according to findings by Cisco Talos. BlackCat is a new and rising faction on the ransomware-as-a-service (RaaS) scene, having targeted several companies over the past few months by exploiting vulnerabilities in the Windows system. RaaS is a business model in which affiliates pay to have ransomware attacks launched by operators. The announcement comes on the heels of other malicious groups targeting Ukrainian sympathizers and countries in the Arabian Peninsula.
The BlackCat group allegedly has ties to the BlackMatter/DarkSide groups that made news by infiltrating the Colonial Pipeline system last year in a ransomware attack. In an interview with cybersecurity company Recorded Future, a BlackCat representative stated that the two entities had a “connection”, but there was no direct relationship between them. BlackCat’s representative said in the interview that the group are affiliates of other RaaS operations and utilize the knowledge gained from other groups and their past attacks.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
How are the attacks happening?
The BlackCat ransomware, also known as “ALPHV” has been utilized to attack companies through gaining access to encrypted files and stolen file disclosure. One example of this was when Seattle-based Expeditors International fell victim to the ransomware and were forced to shut down their systems as a result. These attacks were carried out through an initial compromise of a companies’ system, followed then by data exploration and finally an attack on the system itself. The attacks affected multiple companies in the process, with Expeditors being a freight company and part of a shipping supply chain, causing slowdowns in the shipping process as their systems were taken offline.
Cisco Talos theorizes that the malicious group(s) utilized an exploitation of email client Microsoft Exchange to gain access to the affected companies’ systems. The hackers deployed the tool Reverse-ssh to the victim’s system directory, disabling logs to get into the system without being identified as doing so. Once in, the cybercriminals were able to gain access to Windows credentials of their victims. The BlackCat attack was identified by Cisco Talos using a network scanner, showing that the tool was in use on a user’s system.
The set of attacks were linked by Cisco Talos to the hacking groups based on shared file names, tools and techniques used by the attackers. The cybersecurity company also mentioned that RaaS operators have been known to make training on using the ransomware available to their affiliate groups, and that the same affiliate was at fault for a number of attacks.
Both BlackCat and BlackMatter’s attacks have similar vectors, pointing to the two groups being affiliated with each other, through the sharing of ransomware and methods of deployment. In both cases, the two groups accessed the domain controller, dropping in and running a malicious file that caused the ransomware to spread throughout the domain.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
How can these attacks be avoided?
As always, making sure that potentially malicious files are thoroughly vetted is a must to avoiding these types of attacks. Cisco Talos says that while the RaaS services vary, their affiliates simply move on to a new service once this method is snuffed out. The two attacks are alleged to have taken place over a period of 15 days, and cyberdefense groups analyzing these findings and the attackers tools may be key to stopping them in the future.
While understanding the way these attacks are carried out is valuable, once the system is compromised it may be too late. The best way to assist with avoiding this sort of cyberattack is investment in the best antivirus software on the market, allowing for peace of mind when conducting business or sending personal information.
These attacks so far have targeted U.S.-based companies more than 30% of the time, so enterprises in North America are advised to be ready in case they are the next subject of attack for the BlackCat group.