BlackCat Ransomware Group Targets Companies With Vulnerable Windows And Linux Systems
JAKARTA - Researchers from the cybersecurity company Kaspersky have uncovered two incidents carried out by the ransomware group, BlackCat, which is one of the major players in the ransomware market today.
In a recent report entitled, “A bad luck BlackCat,” Kaspersky researchers look at the tools and techniques used in carrying out attack attempts to confirm the connection between BlackCat and other well-known ransomware groups, such as BlackMatter and REvil.
The BlackCat ransomware group is a threat actor that has been operating since at least December 2021. Unlike many other ransomware actors, the BlackCat malware is written in the Rust programming language.
"Thanks to Rust's advanced cross-compilation capabilities, BlackCat can target Windows and Linux systems. In other words, BlackCat has introduced incremental advancements and technology shifts that are used to address ransomware development challenges," explains security researcher at Kaspersky's Global Research and Analysis Team (GReAT) , Dmitry Galov in a statement received by VOI, Monday, April 11.
The actor claims to be the successor to well-known ransomware groups like BlackMatter and REvil. Of the two incidents Kaspersky managed to uncover, one demonstrated the risks posed by shared cloud hosting resources and the other demonstrated an agile approach to custom malware reuse across BlackMatter and BlackCat activities.
The first case looks at an attack on an Enterprise Resource Planning (ERP) provider, which is vulnerable in the Middle East Region and hosts multiple sites.
The attacker simultaneously sends two different executables to the same physical server, targeting two different organizations that are virtually hosted there.
"Although the group misunderstood the infected server as two different physical systems, the attacker left a trail that was important to determine BlackCat's operating style," Galov said.
Kaspersky researchers concluded that the actor was exploiting the risk of shared assets across cloud resources. Additionally, in this case, the group is also sending the Mimikatz batch file along with the Nirsoft network executable and password recovery utility.
The second case involves oil, gas, mining and construction companies in South America and reveals links between BlackCat and BlackMatter ransomware activities.
The affiliate behind this ransomware attack not only attempted to deliver the BlackCat ransomware within the targeted network, but also preempted the delivery of the ransomware with a modified installation of a custom exfiltration utility, called Fendr.
This utility, also known as ExMatter, has previously been used exclusively as part of the BlackMatter ransomware activity.
“After the REvil and BlackMatter groups closed operations, it didn't take long for another ransomware group to take over their niche. Knowledge of malware development, new examples written from scratch in unusual programming languages, and experience in maintaining infrastructure, have turned the BlackCat group into a major player in the ransomware market," said Galov.
By analyzing this major incident, Kaspersky researchers highlight the key features, tools and techniques used by BlackCat when penetrating its target network.
"This knowledge helps us keep our users safe and protected from both known and unknown threats," Galov said.
"We urge the cybersecurity community to join forces and work together against a new group of cybercriminals for a safer future."