BLACK CAT – THE CHANGING RANSOMWARE DIMENSIONS!
That ransomware is the biggest cybercrime or a leading cyber security threat is a misnomer. What it actually entails in crippling whatever it intends to. We have seen this happening over and over again from the days of WannaCry to recent attacks on Colonial Pipelines and JBS. We are not getting into what amount of ransom was paid, how much data comes back to the victim and what are the chances of a second attack, we would leave for another day. Microsoft Exchange Servers have a large share of the global market. BlackCat ransomware gang has started targeting unpatched Microsoft exchange servers as a part of a new strategy. The changing dimensions of cyber-attacks are mind boggling and only ransomware attacks can be enough work for a lifetime.
BlackCat is also known by other names; ALPHV and Noberus. It has been a new entrant, as discussed in the hyperactive ransomware space. The language used is Rust. This happens to be one of the first cross-platform ransomware written in this language. What does this indicate? Is it another way of hoodwinking? Precisely so. This highlights a trend, wherein threat actors and switching to uncommon programming languages, in an attempt to evade detection. The amount of work / research being done by these ransomware gangs is phenomenal. They are completely hands on, there is nothing theoretical about their trade. Their success is known to the world. Cash booty has become very intricately intertwined with ransomware. That is its DNA.
The US Federal Bureau of Investigation, FBI, has raised an alert, stating that BlackCat ransomware attacks have victimized at least 60 entities worldwide as of March 2022. It was first in the public domain only in Nov 2021. Once BlackCat gains entry, it swiftly gathers information about compromised machines, next is carrying out credential theft and later lateral movement activities, to find out the maximum damage that can be inflicted upon. The intellectual property is then harvested and this exercise ends up with dropping the ransomware payload. In an incident, a ransomware affiliate gained access via Remote Desktop server, using compromised credentials. It is also pointed out that ”no two BlackCat ‘lives’ or deployments might look the same.
Double extortion has become a standard game now. They are looking into newer and surer ways of monetising based on the same activities. The RaaS, ransomware as a service model, has turned out to be very lucrative, by creating a gig-economy style cybercriminal ecosystem. There are three different players in this game; the access brokers, operators and the affiliates, who purchase the access from initial access brokers to deploy the actual payload. Microsoft has also said, ”that ‘two of the most prolific’ groups, which have been associated with several ransomware families such as Hive, Conti, REvil, and LockBit 2.0, are now distributing BlackCat. You can make an assessment of the threat perception yourself, starting from energy sector, they have spread their tentacles into fashion, tobacco, IT and manufacturing industries.
RANSOMWARE IS THE BIGGEST CYBER SECURITY THREAT, AS IT STANDS TODAY.