The Federal Bureau of Investigation (FBI) recently released a Flash Report regarding BlackCat Ransomware breaches. This ransomware as a service (RaaS) has compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing.
We asked Josue Ramirez, Lead Security Analyst with Cybriant, to help clarify the threat with the BlackCat Ransomware.
What are some characteristics of black cat ransomware?
This type of Ransomware fits into the newly established category of Ransomware as a Service. This is due to the payloads being written in the Rust programming language.
The Rust programming language is becoming part of a growing platform language, currently competing with languages such as C++. Unfortunately, it edges out other programming languages in stealth since it has a lower detection rate than static analysis tools (Tools that examine code defects before running it). The language is also known for providing great performance due to its having faster startup times, along with a smaller memory footprint. This results in the encryption process for this Ransomware being fast.
What is Ransomware as a Service?
RaaS is pay-for-use Ransomware. It slightly resembles a pseudo business model where bad actors can purchase post-developed ransomware and execute attacks.
This resembles script-kiddies where less-technical bad actors use already-developed malware to launch attacks against organizations. An example of this business model is one in which the developers of said ransomware get a cut from the deploying team’s ransom.
How is this Black Cat Ransomware spread?
BlackCat spreads via 3rd party frameworks and toolsets (i.e Cobalt Strike) or through vulnerable, exposed software. Currently, records show that Black Cat targets both Windows and Linux.
How does this Ransomware function? What does it rely on?
This Ransomware’s function is reliant on an access-toaccess token
How can organizations protect themselves from BlackCat Ransomware?
SentinelOne, one of othemore popular services that we provide has been shown to successfully kill and Quarantine the Black Cat Ransomware. One common characteristic of this Ransomware is that it uses previously compromised credentials that were used to gain initial access to a system to then compromise Athe ctive Directory user/admin account. Once it confirms access, it then spreads via GPOs (Group Policy Objects) to deploy said ransomware via scripts to further compromise other hosts.
Among the other things that this Ransomware ccompromiseis victim data. It does this by leveraging sySysinternalsnd other windows admin tools ,including sources such as cloud providers.
Who is the hacking group affiliated with this ransomware?
The Hacking group affiliated with this Ransomware is AlphaVM/AlphV.
What should companies do if they have been affected?
Based on the official guidelines, organizations are instructed to do the following:
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
- Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
- Ensure strong password and multi-factor authentication policies are in place.
Does Cybriant recommend paying the ransom if you have been hacked?
If you have been hacked, or believe you have been hacked, please contact Cybriant before you pay any ransom. Furthermore, I believe the steps above will play a huge part in determining whether paying the ransom should be considered. This decision would depend on a client’s Domain Controller’s configs, babackupolicies anyour d passwords/multi-factor authentication policies enforced.
Contact us today to learn more about the managed security services we offer and click here to learn about our SentinelOne offerings.
Examples of Ransomware: 7 Cyber Security Trends To Fight Back