Kaspersky researchers revealed two cyber attacks carried out by the BlackCat ransomware group. One demonstrates the risks posed by shared cloud hosting resources and the other demonstrates an agile approach to custom malware reused across BlackMatter and BlackCat activities.
The complexity of the malware used, combined with the extensive experience of the actors behind it, make the BlackCat ransomware group one of the major players in the ransomware market today. The tools and techniques used in carrying out the attack attempt confirmed the relationship between BlackCat and other well-known ransomware groups, such as BlackMatter and REvil.
The BlackCat ransomware group has been in action since December 2021. Unlike many other ransomware actors, the BlackCat malware is written in the Rust programming language. Thanks to Rust's advanced cross-compiling capabilities, BlackCat can target Windows and Linux systems.
In other words, BlackCat has introduced incremental advancements and technology shifts used to address the challenges of ransomware development. The actor claims to be the successor to well-known ransomware groups like BlackMatter and REvil.
Kaspersky team telemetry shows that at least some members of the new BlackCat group have direct links to BlackMatter, as they use tools and techniques that BlackMatter has previously used extensively.
In a new report titled A Bad Luck BlackCat, Kaspersky researchers describe in the first case an attack on an ERP (enterprise resource planning) provider, which is vulnerable in the Middle East Region that hosts
many sites. The attacker simultaneously sends two different executables to the same physical server, targeting two different organizations that are virtually hosted there.
Even though the group misunderstood the infected server as two different physical systems, the attacker left a trail that was important to determine BlackCat's operating style. Kaspersky researchers concluded that the actor was exploiting the risk of shared assets across cloud resources.
Additionally, in this case, the group is also sending the Mimikatz batch file along with the Nirsoft network executable and password recovery utility. A similar incident occurred in 2019 when REvil, a precursor to BlackMatter activity, emerged to penetrate the cloud service that supports a large number of dentist offices in the United States. Most likely BlackCat has also adopted some of these old tactics.
The second case involves oil, gas, mining and construction companies in South America and reveals links between BlackCat and BlackMatter ransomware activities. The affiliate behind this ransomware attack not only attempted to deliver the BlackCat ransomware within the targeted network, but also preempted the delivery of the ransomware with a modified installation of a custom exfiltration utility, called Fendr. This utility, also known as ExMatter, has previously been used exclusively as part of the BlackMatter ransomware activity.
"After the REvil and BlackMatter groups closed operations, it didn't take long for another ransomware group to take over their niche. Knowledge of malware development, new examples written from scratch in programming languages," said Dmitry Galov, security researcher at the Research and Development Team
Kaspersky Global Analytics (GReAT).
"By analyzing this major incident, we are highlighting the key features, tools and techniques used by BlackCat when it penetrates its target network. This knowledge helps us keep our users safe and protected from both known and unknown threats. We urge the cybersecurity community to join in. and work together against a new group of cybercriminals for a safer future."
To help businesses stay protected from ransomware, Kaspersky security researchers advise companies to take the following anti-ransomware measures as soon as possible:
Keep all software used by your organization up to date to prevent
ransomware exploits vulnerabilities.
Educate employees on how to protect the corporate environment by taking advantage of specialized training, such as that provided by the Kaspersky Automated Security Awareness Platform. Free lessons on how to protect against ransomware attacks
available here.
Focus the company's defense strategy on detecting lateral movement and exfiltration of data to the Internet. Pay special attention to outgoing traffic to detect criminal connections
cyberspace.
Back up your data regularly and make sure you can access it quickly in an emergency.
Uses the latest threat intelligence to stay alert to the current TTP used by threat actors.
Use solutions like Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response, which help identify and stop attacks at an early stage - before attackers can reach their final destination.