Kaspersky researchers have developed a new study titled “A bad luck BlackCat”. in the reportrevealed the details of two different cyber attacks carried out by the BlackCat ransomware group. The complexity of the malware used, combined with the vast experience of the actors behind it, makes the gang one of the biggest players in today’s ransomware industry. The tools and techniques the group used during its attacks confirm the link between BlackCat and other notorious ransomware groups such as BlackMatter and REvil.

The BlackCat ransomware gang is a threat actor that has been active since December 2021. Unlike many ransomware actors, BlackCat’s malware is written in the Rust programming language. Rust’s advanced cross-compiling capabilities allow BlackCat to target both Windows and Linux systems. In other words, BlackCat is initiating a major shift in technology used to address the challenges of ransomware development, accompanied by gradual advancement.

Threat actor BlackCat claims to be the successor to notorious ransomware groups like BlackMatter and REvil. Kaspersky telemetry shows that some members of the new BlackCat group are directly connected to BlackMatter because they use tools and techniques previously widely used by BlackMatter.

In a new report titled “A bad luck BlackCat,” Kaspersky researchers shed light on two particularly interesting cyber incidents. One illustrates the risk of shared cloud hosting resources, while the other points to a flexible approach to reused, custom malware in the BlackMatter and BlackCat groups.

The first case involves an attack on a vulnerable enterprise resource planning (ERP) provider hosting multiple sites in the Middle East. The attackers targeted two different organizations hosted virtually in the environment by simultaneously sending two different executables to the same physical server. Although the gang misunderstood the infected server as two different physical systems, the attackers left important traces in determining how BlackCat works. Kaspersky researchers have determined that the threat actor is abusing the risks of shared assets across cloud resources. In addition, the group has downloaded a Mimikatz batch file to the servers, along with executable files and network password recovery tools from Nirsoft. A similar event happened in 2019 when REvil, the predecessor of the BlackMatter group, moved into a cloud service that supports a large number of dental practices in the US. It’s one of the scenarios where BlackCat is likely to adopt some of these old tactics.

The second case concerns a South American oil, gas, mining and construction company and reveals the link between BlackCat and the BlackMatter ransomware group. The partner behind this ransomware attack (possibly different from the case mentioned above) not only attempted to deliver the BlackCat ransomware within the targeted network, but also installed a special infiltration tool called “Fendr” prior to the ransomware delivery. This utility, also known as ExMatter, was previously only used as part of the BlackMatter ransomware activity.

Kaspersky Global Research and Analysis Team Security Researcher Dmitry Galov said: “After the REvil and BlackMatter groups shut down, it was only a matter of time before another ransomware group took over their business. Knowledge of malware development, a fresh copy written from scratch in an unusual programming language and experience in infrastructure maintenance make the BlackCat group a major player in the ransomware market. In analyzing the main events we encountered, we highlighted the main functions, tools, and techniques BlackCat uses to infiltrate its victims’ networks. This information helps us protect our users and protect us from known and unknown threats. We call on the cybersecurity community to join forces and work together against emerging cybercriminal groups for a more secure future

More information about BlackCat ransomware is available at Securelist.com.

Experts recommend that organizations take the following measures as soon as possible to help protect companies from ransomware:

• Software must be kept up-to-date on all devices used by the organization to prevent ransomware from exploiting vulnerabilities.
• Kaspersky Automated Security Awareness PlatformEmployees should be trained in how to maintain the business environment using special training courses, such as those in A free lesson on how to protect against ransomware attacks here.
• The defense strategy should focus on sideways movements and detecting data leaks to the internet. Particular attention should be paid to outgoing traffic to detect the connections of cyber criminals.
• Data should be backed up regularly and backups should be quickly accessible in an emergency.
• Stay informed about current TTPs used by threat actors. threat intelligence should be used.
• Helps identify and stop an attack early, before attackers reach their final destination. Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response solutions should be used.

Source: (BHA) – Beyaz News Agency