This Violent New Type Of Ransomware Is Haunting 60 Different Organizations Around The World

JAKARTA - A new type of ransomware BlackCat, also known as ALPHV has infected at least 60 different organizations worldwide between November 2021 and March 2022.

In an investigative report by the Federal Bureau of Investigation (FBI), BlackCat is a ransomware-as-a-service (RaaS) actor who has successfully used RUST, which is considered a more secure programming language offering improved performance and reliable concurrent processing.

The BlackCat ransomware itself is customizable, comes with support for multiple encryption methods and options that make it easy to adapt attacks to various enterprise environments.

Since the start of the year, the FBI has issued another warning highlighting how ransomware gangs, including BlackByte, Ragnar Locker and Avoslocker, have targeted and breached dozens of critical infrastructure organizations in the United States.

"BlackCat typically demands payment in Bitcoin and Monero in exchange for the decryption key, and although requests are typically in the millions, it often accepts payments below the original request," the FBI said.

Furthermore, BlackCat also has strong ties to Darkside (aka Blackmatter), the group has extensive network and experience operating malware and ransomware attacks.

"Many developers and money launderers for BlackCat/ALPHV are associated with Darkside/Blackmatter, demonstrating that they have extensive networks and experience with ransomware operations," the FBI said.

To note, Operation DarkSide RaaS launched in August 2020 and closed in May 2021 following efforts by law enforcement agencies to bring down the gang following the widely publicized attack on the Colonial Pipeline events.

While they were renamed BlackMatter on July 31, they were forced to shut down again in November 2021, after Emsisoft discovered and exploited a ransomware vulnerability to create a decryptor, and the gang's servers were confiscated.

How the BlackCat Ransomware Gang Attacks Its Victims

Typically, an attack starts with a compromised account, giving the attacker early access to the target endpoint. The group then compromises Active Directory user and administrator accounts, and uses Windows Task Scheduler to configure a malicious Group Policy Object (GPO), to spread the ransomware.

The initial deployment uses a PowerShell script, along with Cobalt Strike, and disables security features in the victim's network.

The attacker then downloads as much data as possible, before locking the system. And they even try to pull data from any cloud hosting provider they can find. Finally, with the help of Windows scripts, BlackCat was able to spread the ransomware to additional hosts.

The FBI has also created a comprehensive list of recommended mitigations, including reviewing domain controllers, servers, workstations, and Active Directory for new or unknown user accounts.

Additionally, users can back up data regularly, review Task Scheduler for unknown scheduled tasks, and require admin credentials for any software installation process.