Microsoft’s battle with ransomware is only getting challenging and increasingly intense. In the latest development, the company said that the BlackCat ransomware affiliates are now attacking Microsoft Exchange servers. This time the affiliates’ targets are the unpatched vulnerabilities.

Modus Operandi of BlackCat ransomware affiliates

In at least one incident, Microsoft security specialists noticed that the attackers went carefully through the victim's network, obtaining credentials and exfiltrating information to be used for double extortion.
  • The threat actor used PsExec to spread BlackCat ransomware payloads across the network two weeks after the original penetration utilizing an unpatched Exchange server as an entry vector.
  • The common entry vectors for these threat actors include remote desktop applications and compromised credentials.

Was there any significant damage?

  • The extent of damage is still unknown, and also there wasn’t any mention of the Exchange vulnerability used for initial access.
  • There was also no mention of the ransomware affiliate who deployed BlackCat ransomware in this case study by Microsoft. 

Who is behind these attacks?

A financially driven cybercrime outfit known as FIN12 is suspected to be involved in this attack.
  • FIN12 is infamous for previously deploying Ryuk, Conti, and Hive ransomware in attacks. 
  • FIN12 main targets were healthcare organizations.
  • FIN12 operators are much faster and take less than two days to drop their file-encrypting payloads across a target's network.
  • Microsoft observed that FIN12 added BlackCat to their list of distributed payloads beginning March 2022.

BlackCat ransomware & DEV-0504 - what’s the connection?

The BlackCat ransomware is also being used by an affiliate group known as DEV-0504, which uses Stealbit.
  • Stealbit is a malicious tool provided by the LockBit gang to its affiliates as part of its RaaS scheme, to exfiltrate stolen data.
  • Since December 2021, DEV-0504 has also utilized other ransomware strains such as BlackMatter, Conti, LockBit 2.0, Revil, and Ryuk.

How can enterprises stay secure?

  • Enterprises need to examine their identity posture and monitor external access to their networks
  • Also, update all susceptible Exchange servers in their environment as quickly as possible to protect themselves from BlackCat ransomware attacks.

Final thoughts

While cybercriminals deploy new ransomware strains with every passing day, it's critical to have useful intelligence in advance and constant surveillance to track down and identify the threat actors behind it.
Cyware Publisher