[BreachExchange] FBI: This ransomware written in the Rust programming language has hit at least 60 targets

Mon Apr 25 09:26:04 EDT 2022

https://www.zdnet.com/article/fbi-this-ransomware-written-in-the-rust-programming-language-has-hit-at-least-60-targets/

The BlackCat ransomware gang has claimed at least 60 victims worldwide.

Written by Liam Tung, Contributor

on April 25, 2022 | Topic: Security

The BlackCat ransomware gang, known for being the first to use ransomware
written in the Rust programming language, has compromised at least 60
organizations worldwide since March 2022, the Federal Bureau of
Investigation (FBI) says in a new alert.

BlackCat, which also goes by the name ALPHV, is a relatively new
ransomware-as-a-service gang that security researchers believe is related
to the more established BlackMatter (aka Darkside) ransomware gang that hit
US fuel distributor Colonial Pipeline last May.

BlackCat appeared in November 2021 and was created by compromise experts or
'access brokers' that have sold access to multiple RaaS groups, including
BlackMatter, according to Cisco's Talos researchers.

As ZDNet reported in February, BlackCat has hit several high-profile
companies since December, including Swiss airport management service
Swissport and two German oil suppliers.

While much of the group's efforts have been focused on striking several
European critical infrastructure firms, Cisco notes in a March report that
more than 30% of BlackCat compromises have targeted US firms.

"As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had
compromised at least 60 entities worldwide and is the first ransomware
group to do so successfully using Rust, considered to be a more secure
programming language that offers improved performance and reliable
concurrent processing," the FBI says in its alert detailing BlackCAT/ALPHV
indicators of compromise.

"BlackCat-affiliated threat actors typically request ransom payments of
several million dollars in Bitcoin and Monero but have accepted ransom
payments below the initial ransom demand amount. Many of the developers and
money launderers for BlackCat/ALPHV are linked to Darkside/BlackMatter,
indicating they have extensive networks and experience with ransomware
operations," it continues.

The BlackCat gang uses previously compromised user credentials to gain
initial access to the victim's system. The group then compromises Microsoft
Active Directory user and administrator accounts and uses the Windows Task
Scheduler to configure Group Policy Objects to deploy the ransomware.

BlackCat also uses legitimate Windows tools – such as Microsoft
Sysinternals, as well as PowerShell scripts – to disable security features
in anti-malware tools, launch ransomware executables including on MySQL
databases, and copy ransomware to other locations on a network.

The group practices double extortion by stealing data prior to encrypting
it in order to threaten victims with a leak in the event they don't pay a
ransom demand.

Cisco said it was unlikely the BlackCat gang or affiliates were using an
Exchange flaw. However, Trend Micro researchers last week claimed to have
identified BlackCat exploiting the Exchange bug CVE-2021-31207 during an
investigation. That was one of the ProxyShell Exchange bugs discovered in
mid-2021.

BlackCat has versions that work on Windows and Linux, as well as VMware's
ESXi environment, notes Trend Micro.

"In this incident, we identified the exploitation of CVE-2021-31207. This
vulnerability abuses the New-MailboxExportRequest PowerShell command to
export the user mailbox to an arbitrary file location, which could be used
to write a web shell on the Exchange Server," the firm said.

The Cybersecurity and Infrastructure Security Agency is urging
organizations to review the FBI's alert.

The FBI is seeking information from the public about BlackCat compromises.
It wants "any information that can be shared, to include IP logs showing
callbacks from foreign IP addresses, Bitcoin or Monero addresses and
transaction IDs, communications with the threat actors, the decryptor file,
and/or a benign sample of an encrypted file."

As Windows Task Scheduler is commonly used by attackers to hide malicious
activity within seemingly normal admin tasks, the FBI recommends
organizations review Task Scheduler for unrecognized scheduled tasks, as
well as to check domain controllers, servers, workstations, and active
directories for new or unrecognized user accounts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220425/a2fe16ae/attachment.html>