Updated on 2023-01-02
The BlackCat ransomware gang (ALPHV) came up with the new tactic of creating a replica of the victim’s site and publishing stolen data on it. The cloned site is on the clear web.
Updated on 2022-12-16
OALABS researchers have published tips and IOCs that can be used to detect threat actors that employ the Brute Ratel pen-testing framework. Read more: A Customized Command and Control Center for Red Team and Adversary Simulation
Updated on 2022-11-28: Brute Ratel
A Chinese malware researcher going by the name of Panda Zhengzheng has published a breakdown of Brute Ratel C4, a pen-testing tool that has recently been abused by various threat actors. Together with Metasploit, Cobalt Strike, Empire, and Sliver, Zhengzheng says these five red team utilities are also known as Five Tigers in the Chinese cybersecurity ecosystem. Read more: Brute Ratel C4 Badger分析实战与检测
Updated on 2022-10-28: AlphV/BlackCat
Trend Micro has a pretty good profile on the AlphV/BlackCat ransomware operation. Read more: Ransomware Spotlight: BlackCat
Updated on 2022-10-03
The BlackCat ransomware gang added NJVC, an IT firm that also works with the federal government and the U.S. Department of Defense, to its list. The name was later removed from the leak site of the threat actors. Read more: BlackCat ransomware gang claims to have hacked US defense contractor NJVC
Updated on 2022-09-29: Brute Ratel leak
Security researcher William Thomas said that cracked versions of the Brute Ratel red-team framework have been leaked and are widely shared on underground hacking forums. The leak occurred after an unknown entity uploaded the Brute Ratel tool on VirusTotal earlier this month, which eventually allowed threat actors to get hold of it and crack its installer. Brute Ratel’s author blamed security firm MDSec for the leak, but the tool was already being used in attacks since July already, in ALPHV/BlackCat ransomware attacks. In the meantime, defenders might want to get acquainted with detecting Brute Ratel beacons before it’s too late.
Brc4 v1.2.2/5 was leaked by MdSec and is circling the internet. I am tracking it over the past few weeks. MdSec uploaded the whole package to VT which was cracked by a Russian group Molecules, and now used by TAs which will most likely create an irrepairable damage. blog incoming pic.twitter.com/3NpUh2lOYF
— Chetan Nayak (Brute Ratel C4 Author) (@NinjaParanoid) September 28, 2022
Read more in
- Brute Ratel cracked and shared across the Cybercriminal Underground
- BlackCat ransomware attacks not merely a byproduct of bad luck
- PART 3: How I Met Your Beacon – Brute Ratel
Updated on 2022-09-29
A cracked version of post-exploitation toolkit Brute Ratel is being shared for free across English- and Russian-speaking hacking forums. Read more: Hackers now sharing cracked Brute Ratel post-exploitation kit online
Palo Alto Networks said it identified a suspected APT29 campaign that abused Brute Ratel, an adversary emulation framework developed by a former Crowdstrike and Mandiant security engineer. The Brute Ratel author said they took actions against the licenses abused in these attacks, which they claim were sold on the black market.
Updated on 2022-09-23: More on ExMatter
And if you didn’t like that report on ExMatter, here’s one from Stairwell instead. As Lucian Constantin points out in his CSO coverage, ExMatter might be a game changer since it allows BlackCat operators to exfiltrate files, corrupt them on the victim’s network, and then demand a ransom to return them—a process that’s much faster than encrypting and decrypting them.
Read more in
- Exmatter: Clues to the future of data extortion
- Ransomware operators might be dropping file encryption in favor of corrupting files
The BlackCat ransomware gang is now attacking targets with an upgraded version of its data exfiltration tool, named Exmatter, adding more stealth to its operation. Read more: BlackCat ransomware’s data exfiltration tool gets an upgrade
European Energy Company Encevo Discloses Cyberattack
Luxembourg-based energy provider Encevo has acknowledged that some of its subsidiaries were targeted in a cyberattack. Encevo says that the attackers exfiltrated data and rendered data inaccessible. Customers are advised to reset account credentials.
Note
- Indicators point to this as the BlackCat ransomware and that they threatened to post 180,000 files (about 150GB), adding extortion to their ransomware plans. Encevo is still working to determine the scope of the attack and plan their recovery. While customers are advised to reset their credentials, I would hold off until they are certain the malware is contained/eradicated. If you happen to have used the same credentials with Encevo and ANY OTHER service, change those non-Encevo passwords immediately, enabling MFA if offered.
Read more in
- Ransomware Hit on European Pipeline & Energy Supplier Encevo Linked to BlackCat
- BlackCat ransomware claims attack on European gas pipeline
- Encevo Cyberattack
AlphV evolves
The operators of the AlphV (BlackCat) ransomware have launched a dedicated section on their leak site that allows anyone to search through all the data they stole and leaked from past victims. More in this Resecurity report.
The BlackCat ransomware group becomes one of the most widely spread families
Threat actors are continually spreading the BlackCat ransomware group, raising it up the ranks of the most-used ransomware-as-a-service groups. Security researchers have seen different threat groups deploy BlackCat, sometimes after using Mimikatz as the initial infection vector and a credential dumper. Microsoft recently found that two of the most prolific ransomware groups recently switched away from other families like Conti in favor of BlackCat. BlackCat’s been spotted being deployed in regions across the globe, including Africa, North America, South America, Asia and Europe. Microsoft also warned that attackers most often target unpatched Microsoft Exchange Server instances with widely known vulnerabilities. Read more: PROLIFIC RANSOMWARE AFFILIATE GROUPS DEPLOY BLACKCAT By Lindsey O’Donnell-Welch
BlackCat ransomware
Microsoft has published a report on the recent operations of the BlackCat/ALPHV ransomware-as-a-service (RaaS) operation. Microsoft said BlackCat’s for-rent ransomware had been adopted by several of the major underground cybercrime gangs such as DEV-0237 (aka FIN12) and DEV-0504 (a prolific ransomware affiliate on many other RaaS programs).
Also, BlackCat
In addition, there is a new report that the BlackCat group is now using clear web websites using domains personalized to fit their victims as a way to threaten and leak data from some of their targets.
FBI: Black Cat Ransomware IoCs
The FBI has published a TLP: White Flash alert that includes indicators of compromise (IoCs) for Black Cat, also known as ALPHV, ransomware-as-a-service. Black Cat is the first known ransomware to be written in Rust. The ransomware’s operators appear to be focusing on industrial organizations. In addition to the IoCs, the Flash alert includes technical details and recommended mitigations. In addition, “the FBI is seeking any information that can be shared, to include IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.”
Note
- The FBI wants to hear from you if you’re seeing this activity. Make sure that you know your local FBI office and who to contact with. Build that relationship now before you need their help.
- Early detection is essential if the IoCs are to be useful. Given hours, the compromise ransomware will announce itself.
Read more in
- BlackCat/ALPHV Ransomware Indicators of Compromise (PDF)
- FBI seeks information on ALPHV ransomware group, aka BlackCat
- FBI Shares Information on BlackCat Ransomware Attacks
- FBI: BlackCat ransomware breached at least 60 entities worldwide
Oil Companies Impacted by Cyberattack
Seaports in Germany, Belgium, and the Netherlands have reported IT disruptions following what appears to be a cyberattack. Authorities are investigating the incident, which affects SEA-Tank, Oiltanking, and Evos terminals. Germany’s Federal Office for Information Security (BSI) says the BlackCat ransomware group may be responsible for the attack.
Note
- I am reminded that one of the root causes for the Colonial Pipeline breach was a VPN user reverting to a discoverable non-unique password. Is your scenario when your MFA tokens are lost/stolen/broken subject to similar risks? The actions taken by the German companies include invoking the “force majeure” clause in their contracts to free them from liabilities arising from the interruptions of services to customers. This is because with the level of automation involved, manual operation is not practical except on a very limited scale. Consider the scale of operations in a similar attack on your business and verify you have sufficient contract language or other agreements with your customers to manage side-effects of radically impacted service delivery.
- Analysts are claiming BlackCat is a rebrand of BlackMatter which was a rebrand of DarkSide (that ransomed and extorted Colonial Pipeline). Attribution matters and I am looking forward to more details on these attacks.
