Skip to Content

BlackCat Ransomware Evolve

Updated on 2022-10-28: AlphV/BlackCat

Trend Micro has a pretty good profile on the AlphV/BlackCat ransomware operation. Read more: Ransomware Spotlight: BlackCat

Updated on 2022-10-03

The BlackCat ransomware gang added NJVC, an IT firm that also works with the federal government and the U.S. Department of Defense, to its list. The name was later removed from the leak site of the threat actors. Read more: BlackCat ransomware gang claims to have hacked US defense contractor NJVC

Updated on 2022-09-29: Brute Ratel leak

Security researcher William Thomas said that cracked versions of the Brute Ratel red-team framework have been leaked and are widely shared on underground hacking forums. The leak occurred after an unknown entity uploaded the Brute Ratel tool on VirusTotal earlier this month, which eventually allowed threat actors to get hold of it and crack its installer. Brute Ratel’s author blamed security firm MDSec for the leak, but the tool was already being used in attacks since July already, in ALPHV/BlackCat ransomware attacks. In the meantime, defenders might want to get acquainted with detecting Brute Ratel beacons before it’s too late.

Read more in

Updated on 2022-09-29

A cracked version of post-exploitation toolkit Brute Ratel is being shared for free across English- and Russian-speaking hacking forums. Read more: Hackers now sharing cracked Brute Ratel post-exploitation kit online

Palo Alto Networks said it identified a suspected APT29 campaign that abused Brute Ratel, an adversary emulation framework developed by a former Crowdstrike and Mandiant security engineer. The Brute Ratel author said they took actions against the licenses abused in these attacks, which they claim were sold on the black market.

Updated on 2022-09-23: More on ExMatter

And if you didn’t like that report on ExMatter, here’s one from Stairwell instead. As Lucian Constantin points out in his CSO coverage, ExMatter might be a game changer since it allows BlackCat operators to exfiltrate files, corrupt them on the victim’s network, and then demand a ransom to return them—a process that’s much faster than encrypting and decrypting them.

Read more in

The BlackCat ransomware gang is now attacking targets with an upgraded version of its data exfiltration tool, named Exmatter, adding more stealth to its operation. Read more: BlackCat ransomware’s data exfiltration tool gets an upgrade

European Energy Company Encevo Discloses Cyberattack

Luxembourg-based energy provider Encevo has acknowledged that some of its subsidiaries were targeted in a cyberattack. Encevo says that the attackers exfiltrated data and rendered data inaccessible. Customers are advised to reset account credentials.

Note

  • Indicators point to this as the BlackCat ransomware and that they threatened to post 180,000 files (about 150GB), adding extortion to their ransomware plans. Encevo is still working to determine the scope of the attack and plan their recovery. While customers are advised to reset their credentials, I would hold off until they are certain the malware is contained/eradicated. If you happen to have used the same credentials with Encevo and ANY OTHER service, change those non-Encevo passwords immediately, enabling MFA if offered.

Read more in

AlphV evolves

The operators of the AlphV (BlackCat) ransomware have launched a dedicated section on their leak site that allows anyone to search through all the data they stole and leaked from past victims. More in this Resecurity report.

AlphV evolves

The BlackCat ransomware group becomes one of the most widely spread families

Threat actors are continually spreading the BlackCat ransomware group, raising it up the ranks of the most-used ransomware-as-a-service groups. Security researchers have seen different threat groups deploy BlackCat, sometimes after using Mimikatz as the initial infection vector and a credential dumper. Microsoft recently found that two of the most prolific ransomware groups recently switched away from other families like Conti in favor of BlackCat. BlackCat’s been spotted being deployed in regions across the globe, including Africa, North America, South America, Asia and Europe. Microsoft also warned that attackers most often target unpatched Microsoft Exchange Server instances with widely known vulnerabilities. Read more: PROLIFIC RANSOMWARE AFFILIATE GROUPS DEPLOY BLACKCAT By Lindsey O’Donnell-Welch

BlackCat ransomware

Microsoft has published a report on the recent operations of the BlackCat/ALPHV ransomware-as-a-service (RaaS) operation. Microsoft said BlackCat’s for-rent ransomware had been adopted by several of the major underground cybercrime gangs such as DEV-0237 (aka FIN12) and DEV-0504 (a prolific ransomware affiliate on many other RaaS programs).

Also, BlackCat

In addition, there is a new report that the BlackCat group is now using clear web websites using domains personalized to fit their victims as a way to threaten and leak data from some of their targets.

FBI: Black Cat Ransomware IoCs

The FBI has published a TLP: White Flash alert that includes indicators of compromise (IoCs) for Black Cat, also known as ALPHV, ransomware-as-a-service. Black Cat is the first known ransomware to be written in Rust. The ransomware’s operators appear to be focusing on industrial organizations. In addition to the IoCs, the Flash alert includes technical details and recommended mitigations. In addition, “the FBI is seeking any information that can be shared, to include IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.”

Note

  • The FBI wants to hear from you if you’re seeing this activity. Make sure that you know your local FBI office and who to contact with. Build that relationship now before you need their help.
  • Early detection is essential if the IoCs are to be useful. Given hours, the compromise ransomware will announce itself.

Read more in

Oil Companies Impacted by Cyberattack

Seaports in Germany, Belgium, and the Netherlands have reported IT disruptions following what appears to be a cyberattack. Authorities are investigating the incident, which affects SEA-Tank, Oiltanking, and Evos terminals. Germany’s Federal Office for Information Security (BSI) says the BlackCat ransomware group may be responsible for the attack.

Note

  • I am reminded that one of the root causes for the Colonial Pipeline breach was a VPN user reverting to a discoverable non-unique password. Is your scenario when your MFA tokens are lost/stolen/broken subject to similar risks? The actions taken by the German companies include invoking the “force majeure” clause in their contracts to free them from liabilities arising from the interruptions of services to customers. This is because with the level of automation involved, manual operation is not practical except on a very limited scale. Consider the scale of operations in a similar attack on your business and verify you have sufficient contract language or other agreements with your customers to manage side-effects of radically impacted service delivery.
  • Analysts are claiming BlackCat is a rebrand of BlackMatter which was a rebrand of DarkSide (that ransomed and extorted Colonial Pipeline). Attribution matters and I am looking forward to more details on these attacks.

Read more in

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.