You are here

Threat Awareness – Overview of BlackCat Ransomware

Threat Awareness – Overview of BlackCat Ransomware

Created: Thursday, November 3, 2022 - 14:36
Cybersecurity, Research

Security researchers at Trend Micro recently published a comprehensive report on the BlackCat ransomware group. BlackCat is one of the most active ransomware groups today, operating as a ransomware as a service (RaaS) model and targeting organizations in virtually every critical infrastructure sector.

BlackCat was first observed in November 2021 and quickly earned notoriety for being the first major ransomware family to be written in Rust, “a cross-platform language that enables malicious actors to customize malware with ease for different operating systems like Windows and Linux,” according to TrendMicro. BlackCat ransomware affiliates have also gained a competitive advantage over other RaaS threat actors due to their use of triple extortion ransomware attacks. In addition to publicizing exfiltrated data, ransomware threat actors employ triple extortion threaten to launch distributed denial-of-service (DDoS) attacks on their victims’ infrastructure to coerce them to pay the ransom.

Around 40 percent of organizations targeted by BlackCat ransomware are in the U.S. And from December 1, 2021, to September 30, 2022, BlackCat affiliates targeted at least 12 energy companies and other utilities. To gain initial access, Trend Micro researchers indicate that BlackCat threat actors’ method of intrusion varies based on the RaaS affiliate that deploys the ransomware payload. For instance, Microsoft has observed BlackCat affiliates exploiting Exchange server vulnerabilities to access the target network, while an FBI FLASH from April noted that BlackCat ransomware “leverages previously compromised user credentials to gain initial access to the victim system.”

Additionally, over the summer BlackCat threat actors were observed using new tools such as Brute Ratel, which is a penetration testing and attack simulation tool that is similar to Cobalt Strike, to increase their chances of compromising an organization. In September, WaterISAC reported the Emotet botnet had started delivering BlackCat ransomware. TrendMicro’s report includes further technical information regarding this threat including indicators of compromise; BlackCat’s infection chain and techniques; and a summary of malware, tools, and exploits used. To defend against this (and all other) ransomware, members are encouraged to make sure all systems are up to date, conduct regular patch management, and regularly reference CISA's StopRansomware page for more guidance and resources. Read more at Trend Micro.