fbpx

BlackCat/ALPHV Ransomware: Cybriant Responds to FBI Warning

Home » Cybersecurity Blog » BlackCat/ALPHV Ransomware: Cybriant Responds to FBI Warning

blackcat ransomware
The Federal Bureau of Investigation (FBI) recently released a Flash Report regarding BlackCat Ransomware breaches. This ransomware as a service (RaaS) has compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing. Read More

The Federal Bureau of Investigation (FBI) recently released a Flash Report regarding BlackCat Ransomware breaches. This ransomware as a service (RaaS) has compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing.

We asked Josue Ramirez, Lead Security Analyst with Cybriant, to help clarify the threat with the BlackCat Ransomware.

What are some characteristics of black cat ransomware?

This type of Ransomware fits into the newly established category of Ransomware as a Service. This is due to the payloads being written in the Rust programming language.

The Rust programming language is becoming part of a growing platform language, currently competing with languages such as C++. Unfortunately, it edges out other programming languages in stealth since it has a lower detection rate from static analysis tools (Tools that examine code defects before running it). The language is also known for providing great performance due to it having faster startup times, along with a smaller memory footprint. This results in the encryption process for this Ransomware being fast.

What is Ransomware as a Service?

RaaS is basically pay-for-use Ransomware. It slightly resembles a pseudo business model where bad actors can purchase post-developed ransomware and execute attacks.

This resembles script-kiddies where less-technical bad actors use already-developed malware to launch attacks against organizations. An example of this business model is one in which the developers of said ransomware get a cut from the deploying team’s ransom.

How is this Black Cat Ransomware spread?

BlackCat spreads via 3rd party frameworks and toolsets (i.e Cobalt Strike) or through vulnerable, exposed software. Currently, records show that Black Cat targets both Windows and Linux.

How does this Ransomware function? What does it rely on?

This Ransomware’s function is reliant on an access-token.

How can organizations protect themselves from BlackCat Ransomware?

SentinelOne, one of our more popular services that we provide has been shown to successfully kill and Quarantine the Black Cat Ransomware. One common characteristic of this Ransomware is that it uses previously compromised credentials that were used to gain initial access to a system to then compromise Active Directory user/admin account. Once it confirms access, it then spreads via GPOs (Group Policy Objects) to deploy said ransomware via scripts to further compromise other hosts.

Among the other things that this Ransomware compromises is victim data. It does this by leveraging sysinternals and other windows admin tools , including sources such as cloud providers.

Who is the hacking group affiliated with this ransomware?

The Hacking group affiliated with this Ransomware is AlphaVM/AlphV.

What should companies do if they have been affected?

Based on the official guidelines, organizations are instructed to do the following:

  1. Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  2. Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  3. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
  4. Ensure strong password and multi-factor authentication policies are in place.

Does Cybriant recommend paying the ransom if you have been hacked?

If you have been hacked, or believe you have been hacked, please contact Cybriant before you pay any ransom. Furthermore, I believe the steps above will play a huge part in determining whether paying the ransom should be considered. This decision would depend on a client’s Domain Controller’s configs, back up policies and passwords/multi-factor authentication policies enforced.

Contact us today to learn more about the managed security services we offer.

Related Posts
FBI Warns of Aggressive Ransomware Targeting the Healthcare Industry
ransomware healthcare

The healthcare industry should be expecting a wave of aggressive ransomware in the coming days as many of the largest Read more

Everything You Need To Know About Ryuk Ransomware
ryuk ransomware

Ryuk is a ransomware that has targeted several large organizations demanding payment in bitcoins. Find out more about the Ryuk Read more