Microsoft warns that the BlackCat ransomware team is exploiting exploits for unpatched Exchange server vulnerabilities to gain access to targeted networks.

After gaining an entry point, the attackers quickly moved to gather information about the compromised machines, then performed credential theft and lateral movement activities, before harvesting IP and remove the ransomware payload.

The full sequence of events unfolded over the course of two full weeks, the Microsoft 365 Defender Threat Intelligence team said in a report released this week.

“In another incident we observed, we discovered that a ransomware affiliate gained initial access to the environment via an internet-facing remote desktop server using compromised credentials to log in” , the researchers said, noting how “no BlackCats” live “or deployments may look alike.”

BlackCat, also known as ALPHV and Noberus, is a relatively new entrant into the hyperactive ransomware space. It is also known to be one of the first cross-platform ransomware written in Rust, illustrating a trend where threat actors are turning to uncommon programming languages ​​in an attempt to evade detection.

The Ransomware as a Service (RaaS) system, regardless of the various initial access vectors used, results in the exfiltration and encryption of target data which is then held for ransom under what is known as double extortion.

BlackCat ransomware

The RaaS model has proven to be a lucrative gig-economy cybercriminal ecosystem comprised of three different key players: access brokers (IABs), which compromise networks and maintain persistence; operators, who develop and maintain ransomware operations; and Affiliates, who purchase access to IABs to deploy the actual payload.

According to an alert issued by the US Federal Bureau of Investigation (FBI), BlackCat ransomware attacks claimed at least 60 lives worldwide in March 2022 since they were first spotted in November 2021.

BlackCat ransomware

Additionally, Microsoft said “two of the most prolific affiliated threat groups,” which have been associated with multiple ransomware families such as Hive, Conti, REvil, and LockBit 2.0, are now distributing BlackCat.

cyber security

This includes DEV-0237 (aka FIN12), a financially motivated threat actor that was last seen targeting the healthcare sector in October 2021, and DEV-0504, which has been active since 2020 and tends to move payloads when a RaaS program closes. down.

“DEV-0504 was responsible for deploying BlackCat ransomware to energy companies in January 2022,” Microsoft noted last month. “Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in fashion, tobacco, IT, and manufacturing, among others.”

Rather, the results are an indicator of how affiliate actors are increasingly jumping on the RaaS bandwagon to monetize their attacks, while adopting markedly different pre-ransom steps to deliver the ransomware payload to the within a target organization’s network, posing significant challenges to conventional defense. approaches.

“Detecting threats like BlackCat, while good, is no longer enough as human-operated ransomware continues to grow, evolve, and adapt to the networks they’re deployed on or the attackers they work for,” the researchers said. “These types of attacks continue to leverage an organization’s poor credential hygiene and legacy configurations or misconfigurations to succeed.”