BlackCat ransomware on a spree, enters systems through unpatched MS Exchange
BlackCat, one of the first ransomware families written in the Rust programming language, entered the stage in November 2021. Lately, it’s been among the most active ransomware gangs.
This week, threat intelligence and Italian media hinted that the University of Pisa in Italy might have been hit by BlackCat ransomware. The group allegedly asked the university to pay $4,5 million by 16 June.
According to the cybersecurity analyst ANOZR WAY, BlackCat is one of the most active ransomware gangs, responsible for approximately 12% of the total attacks observed. The only two more operative groups are Lockbit 2.0, responsible for nearly four in ten attacks observed, and Conti (23%.)
On Monday, Microsoft released a blog detailing the BlackCat ransomware threat. The company has observed successful attacks against Windows and Linux devices and VMWare instances.
“The BlackCat ransomware, also known as ALPHV, is a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy,” it said.
Rust programming language helps the ransomware gang avoid detection by conventional security tools and creates a challenge for defenders trying to reverse engineer the payloads or compare them to similar trends.
Typically, these threat actors breach systems via remote desktop applications and compromised credentials. In one incident, Microsoft observed attackers taking advantage of an unpatched Exchange server to enter the target organization.
“It was a full two weeks from the initial compromise before the attackers progressed to ransomware deployment, thus highlighting the need for triaging and scoping out alert activity to understand accounts and the scope of access an attacker gained from their activity,” Microsoft said.
The company also observed two of the most prolific affiliate groups – DEV-0237 and DEV-0504 – deploying BlackCat. DEV-0237 has been observed distributing Hive, Conti, and Ryuk, and toying with the following ransom families: BlackMatter, Conti, LockBit 2.0, Revil, and Ryuk.
“Payload switching is typical for some RaaS affiliates to ensure business continuity or if there’s a possibility of better profit. Unfortunately for organizations, such adoption further adds to the challenge of detecting related threats,” Microsoft said.
More from Cybernews:
Subscribe to our newsletter