BlackCat ransomware-as-a-service (RaaS) is on the prowl, having already compromised dozens of unlucky organizations between November 2021 and March 2022. A warning from the U.S. FBI Cyber Division, released on Wednesday April 20, details activities of this new threat. To date, BlackCat has compromised more than 60 organizations around the world. This high rate of success may be due to the ransomware’s relationship with the DarkSide/BlackMatter groups, who successfully breached Colonial Pipeline in May 2021 causing widespread shortages of gasoline along with price increases. Many of the developers and money launderers behind that attack are supporting Black Cat, giving the relatively newly formed RaaS a wealth of operational experience.
Threat actors using BlackCat are demanding ransoms totaling several million U.S. dollars to be paid with Bitcoin or Monero cryptocurrency. The FBI, and the industry in general, discourages paying ransom, as it will not guarantee file recovery while reinforcing the behavior, but says some adversaries have accepted lower sums than initially demanded. Any organization suffering a Black Cat ransomware attack is encouraged to contact the FBI.
What makes BlackCat particularly interesting is that it represents the first series of major ransomware attacks to incorporate the RUST programming language, known for its security features and fast performance. While the use of RUST is a new feature for ransomware campaigns, much of BlackCat’s approach seems familiar. The group relies on using compromised credentials, something easily obtainable through initial access brokers (IABs), to gain access to systems. During initial deployment, BlackCat uses PowerShell and Cobalt Strike to disable network security features. Once inside the environment, the malware drops ransomware payloads by creating malicious Group Policy Objects with the Windows Task Scheduler.
Like most ransomware attacks today, RaaS appears to favor a double-extortion strategy, as evidenced by the victim’s data being exfiltrated before any encryption occurs. BlackCat’s data-stealing capabilities have been witnessed being successfully used against cloud providers holding client data as well. The FBI release provides indicators of compromise (IOCs) and a list of mitigation steps to organizations hoping to avoid BlackCat attacks. Additional information on threat groups, RaaS, Cobalt Strike, RUST, and numerous other cybersecurity topics can be found in the BlackBerry® 2022 Threat Report.
To effectively combat BlackCat and other forms of ransomware, we suggest using artificial intelligence (AI) based solutions specifically tuned to address and prevent these types of attacks.