Bad Luck: BlackCat Ransomware Bulletin

On April 19th of 2022, the FBI Cyber Division released a flash bulletin regarding the Blackcat ransomware-for-hire. This was met with mixed reactions – some found the ransomware to be of little concern, others made a case for tracking its progress. Either way, this ransomware-for-hire has been around far longer (in internet terms) than the bulletin may have some believe, having been first seen in September 2021. Some elements of the ransomware are more concerning than others in the same category, but overall, this ransomware offers no more significant concerns to companies that can avoid it before a true infection takes hold.

Malware Traits of Blackcat Ransomware

One of the defining traits of Blackcat over other ransomware-for-hire is the fact that it is written in Rust. This can provide some better reliability, and it can make subverting detection mechanisms and targeting multiple operating systems easier, as Rust is cross-platform. Many of its developers have been associated with the Darkside/Blackmatter group, which also brings about the concern of dealing with experienced malware operators.

Blackcat starts by using previously compromised credentials for an initial foothold in the network. It targets Active Directory to spread via GPO, primarily working with Windows administrative tools for spread, outside connection, and disabling security features like antivirus.

This malware, after successfully gaining access to the target machine, beacons back data on the victim machine (host UUID). This information helps attackers identify the details of the compromised company and assists in the delivery of the ransom message to the victim. The ransomware targets virtual machines and snapshots, looking to escape containers, encrypt any possible persistence, and wipe out backups that weren’t carefully archived. It also searches through data hosted by cloud providers contracted to the target.

Catch the
LogicHub Monthly Security Update on the 15th of every month at 10:00am PT/ 12:00pm ET.

As far as the actual ransom process goes, Blackcat group has adopted several of the more recently common practices when interacting with victims: threats to release small batches of data upon lack of payment, showing non-payers in a public ‘wall of shame’, and using contractors and customers to gain payment from victims. However, they also use some less common tactics, like threats of DDoS and discounts for fast payment, both of which play directly on a victim’s initial panic. Blackcat is also known for requesting large ransoms in the millions.

As with most ransomware-for-hire programs, Blackcat’s aim is to spread fast and hit hard before the dust clears, probably desiring to make off with the ill-gotten gains before law enforcement and researchers catch on.

Mitigations for Blackcat Ransomware

Thankfully, there are a few key mitigations for this malware already. Monitoring for known IOCs and generally suspicious Server Message Block (SMB) traffic is a first step that helps in understanding attempts against a target network in real time. Certain activities common to this malware (that are also useful for alerting) include:

  • ‘vssadmin’ shadow copy deletions
  • Recovery mode edits using ‘bcedit.exe’
  • Propagation via ‘psexec’
  • Use of anti-forensics tools like fileshredder
  • Collecting machine UUID via WMIC commands
  • Propagation via ‘net use’ command

Of course, more standard mitigations also apply, like the ones detailed in the FBI briefing:

  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system defined or recognized scheduled tasks for unrecognized “actions” (for example: review the steps each scheduled task is expected to perform).
  • Review antivirus logs for indications they were unexpectedly turned off.
  • Implement network segmentation.
  • Require administrator credentials to install software.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Use multifactor authentication where possible.
  • Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
  • Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update antivirus and anti-malware software on all hosts.

Further Reading About Blackcat Ransomware

Brief assessment by Palo Alto Unit 42 threat research

FBI Flash Briefing

Early technical reporting on Blackcat ransomware when it was first seen as Noberus

Leave a Reply

Your email address will not be published. Required fields are marked *