The Federal Bureau of Investigation (FBI) has released a TLP: WHITE flash alert
concerning the BlackCat ransomware-as-a-service (RaaS) operation. BlackCat, also referred to as ALPHAV, was started in November 2021. It was brought out soon after the closing of the BlackMatter ransomware operation, known as a rebrand of DarkSide. Darkside was associated with the ransomware attack involving the Colonial Pipeline. A person from the operation has said they are previously an affiliate of BlackMatter/DarkSide that went on their own. Nonetheless, it is more probable that BlackCat is merely a rebranding of BlackMatter/DarkSide.
The FBI mentioned numerous developers and money launderers a part of the BlackCat operation were associated with DarkSide/BlackMatter, which shows they have substantial networks and appreciable expertise in managing RaaS operations. The BlackCat RaaS operation hasn’t been in operation for a long time, however, the group has already reported no less than 60 victims around the world. BlackCat generally targets big companies and requires ransom payments of a few million dollars of Bitcoin or Monero, even though the group looks eager to make a deal regarding payments with victims.
Strangely for ransomware, it is penned in RUST, which is deemed to be a more reliable programming language that helps ensure better operation and concurrent processing. First access to networks is normally acquired by making use of earlier compromised information, and as soon as access is obtained, Active Directory users along with administrator accounts are affected. The ransomware executable is remarkably customizable and makes it possible for attacks on a vast selection of corporate settings, it facilitates several encryption strategies, and can deactivate security capabilities on victim systems.
The group employs Windows Task Scheduler to install malicious Group Policy Objects (GPOs) to release the ransomware, at the beginning employing PowerShell scripts and Cobalt Strike. Microsoft Sysinternals Tools and Windows administrative tools are at the same time utilized in the course of a breach. Before encryption of files, victim files are stolen, as well as those from cloud companies. Threats are afterward given to expose the stolen information on the leak web page when there is no ransom paid. In the flash advisory, the FBI has provided indicators of compromise (IoCs) and mitigation procedures that must be implemented to strengthen security and make it more challenging for attacks to become successful.
Much like all ransomware attacks, the FBI does not recommend giving ransom payment since there is no warranty that files will be retrieved, paying doesn’t stop additional attacks, and there’s no assurance that any records stolen during the attack won’t be posted, stolen, or improperly used. Nevertheless, the FBI agrees that ransom payment may be the sole solution in several cases to safeguard clients, patients, staff members, and shareholders.
Irrespective of whether ransom payment is made, the FBI wanted victims to report cyberattacks to their community FBI field office. The FBI has asked for IP records exhibiting callbacks from foreign IP addresses, Monero Or Bitcoin addresses and transaction IDs, calls to the attackers, the decryptor file, and/or a benign example of an encrypted data file.