FBI Warns About the Escalating Blackcat Ransomware Attacks

What’s the update?

• In the latest flash alert, the FBI has indicated that BlackCat/ALPHV is the first ransomware group to use Rust programming language for its toolset to compromise at least 60 firms worldwide, between November 2021 and March 2022.
• Many of the developers and money launderers are linked to DarkSide/BlackMatter, indicating that they have extensive networks and experience with ransomware operations. 
• As a part of the infection chain process, the attackers leverage previously compromised user credentials to gain initial access to victims’ systems.
• The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. 
• It also uses PowerShell scripts and Cobalt Strike Beacon, Windows administrative tools, and Microsoft Sysinternals tools during compromise. 

Additional information

• Earlier this month, researchers from Kaspersky revealed a new data theft tool used by the BlackCat ransomware group.
• Called Fendr, the data exfiltration tool was used by the group to target industrial network environments. 
• One such incident was observed at an oil, gas, mining, and construction company in South America. The hacker had deployed a version of the Fendr tool after compromising the organization’s systems.
• Researchers made a note that this customizable data-stealing tool was also used by the BlackMatter ransomware group in multiple attacks.

Other key points

• The ALPHV ransomware group has also evolved its evasion techniques to ensnare more victims. 
• Recently, the group was found leveraging third-party frameworks and toolsets, as well the DLL injection technique to evade detection.

Conclusion