Woburn, MA – April 7, 2022 – Today Kaspersky released a new report, “A bad luck BlackCat,” revealing the details of two cyber incidents conducted by the BlackCat ransomware group. The complexity of the malware used, combined with the vast experience of the actors behind it, make the gang one of the major players in today’s ransomware market. The tools and techniques the group deploys during their attacks confirm the connection between BlackCat and other infamous ransomware groups, including BlackMatter and REvil.
The BlackCat ransomware gang is a threat actor that has been operating since at least December 2021. Unlike many ransomware actors, BlackCat’s malware is written in Rust programming language. Thanks to Rust’s advanced cross-compilation capabilities, BlackCat can target both Windows and Linux systems. Overall, BlackCat has introduced incremental advances and a shift in technologies to address the challenges of ransomware development.
The actor claims to be a successor to notorious ransomware groups like BlackMatter and REvil. Our telemetry suggests that at least some members of the new BlackCat group have direct links to BlackMatter, as they use tools and techniques that had previously been widely used by that group.
In the new report, Kaspersky researchers shed some light on two cyber-incidents of particular interest. One demonstrates the risk presented by shared cloud hosting resources and the other demonstrates an agile approach to customized malware being re-used across BlackMatter and BlackCat activity.
The first case looks at an attack against a vulnerable ERP (enterprise resource planning) provider in the Middle East hosting multiple sites. The attackers simultaneously delivered two different executables to the same physical server, targeting two different organizations virtually hosted on it. The gang misunderstood the infected server as two different physical systems, while leaving tracks that were important for identifying BlackCat’s operating style. Kaspersky researchers determined that the actor exploits the risk of shared assets across cloud resources. Additionally, in this case, the group also delivered a Mimikatz batch file along with executables and Nirsoft network password recovery utilities. A similar incident took place in 2019 when REvil, a predecessor to BlackMatter activity, appeared to penetrate a cloud service that supports a large number of dental offices in the US. It is most likely that BlackCat has also adopted some of these older tactics.
The second case involves an oil, gas, mining and construction company in South America and reveals the connection between BlackCat and BlackMatter ransomware activity. Not only did the affiliate behind this ransomware attack (which appears to be different from the one in the previously mentioned case) attempt to deliver BlackCat ransomware within the targeted network, it also preceded its delivery of the ransomware with the installation of a modified custom exfiltration utility, which we call “Fendr.” This utility, which is also known as ExMatter, had previously been used exclusively as part of BlackMatter’s ransomware activity.
“After the REvil and BlackMatter groups shut down their operations, it was only a matter of time before another ransomware group took over their niche,” said Dmitry Galov, security researcher at Kaspersky’s Global Research and Analysis Team. “Knowledge of malware development, a new written-from-scratch sample in an unusual programming language and experience in maintaining infrastructure are turning the BlackCat group into a major player in the ransomware market. By analyzing these major incidents, we highlighted the main features, tools and techniques used by BlackCat while penetrating their victims’ networks. This knowledge helps us keep our users safe and protected from known and unknown threats. We urge the cybersecurity community to join forces and work together against new cybercriminal groups for a safer future.”
Learn more about the BlackCat ransomware on Securelist.com.
To help businesses stay protected from ransomware, experts suggest organizations take the following anti-ransomware measures as soon as possible:
· Keep software updated across all devices used by your organization to prevent ransomware from exploiting vulnerabilities.
· Educate your employees on how to protect the corporate environment by utilizing dedicated training courses, such as the ones provided in the Kaspersky Automated Security Awareness Platform. A free lesson on how to protect against ransomware attacks is available here.
· Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminals' connections.
· Back up data regularly and make sure you can quickly access it in an emergency.
· Use the latest threat intelligence to stay aware of current TTPs being used by threat actors.
· Use solutions like Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response, which help identify and stop an attack in its early stages – before attackers are able to achieve their final goals.
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Sawyer Van Horn