Azure Storage Compromised in Latest BlackCat Ransomware Attack

Modus operandi

• After gaining unauthorized access to the victim's Sophos Central account by using a stolen OTP, the BlackCat gang proceeded to disable the Tamper Protection feature and made alterations to the security policies. 
• These actions were made possible by pilfering the OTP from the victim's LastPass vault through the LastPass Chrome extension.
• Following this breach, the attackers proceeded to encrypt the systems belonging to the Sophos customer as well as their remote Azure cloud storage. 
• They also added the ".zk09cvt" extension to all the files that they locked.

A bit on Sphynx 

• A deep dive by IBM Security X-Force revealed that Sphynx has updated capabilities, enabling the BlackCat ransomware to evade detection efficiently.
• For instance, changes have been made to the command line arguments. 
• In earlier versions, the ransomware operated by using the "-access-token" parameter for execution. However, Sphynx eliminates this parameter and introduces a set of more intricate arguments.

BlackCat in news

• In 2023, ALPHV and Cl0P emerged as the most frequent ransomware groups targeting U.K organizations with £10 million (~ $12 million) in bank assets, replacing Karakurt as the leading ransomware threat against large organizations.
• In July, the FIN8 group was found disseminating the BlackCat ransomware via a new variant of its Sardonic backdoor.

The bottom line