Kaspersky released a new report, "A bad luck BlackCat,"
revealing the details of two cyber incidents conducted by the BlackCat
ransomware group. The complexity of the malware used, combined with the vast
experience of the actors behind it, make the gang one of the major players in
today's ransomware market. The tools and techniques the group deploys during
their attacks confirm the connection between BlackCat and other infamous
ransomware groups, including BlackMatter and REvil.
The BlackCat ransomware gang
is a threat actor that has been operating since at least December 2021. Unlike
many ransomware actors, BlackCat's malware is written in Rust programming
language. Thanks to Rust's advanced cross-compilation capabilities, BlackCat
can target both Windows and Linux systems. Overall, BlackCat has introduced
incremental advances and a shift in technologies to address the challenges of
ransomware development.
The actor claims to be a successor to notorious ransomware groups like
BlackMatter and REvil. Our telemetry suggests that at least some members of the
new BlackCat group have direct links to BlackMatter, as they use tools and
techniques that had previously been widely used by that group.
In the new report, Kaspersky
researchers shed some light on two cyber-incidents of particular interest. One demonstrates the risk presented by shared cloud hosting
resources and the other demonstrates an agile approach to customized malware
being re-used across BlackMatter and BlackCat activity.
The first case
looks at an attack against a vulnerable ERP (enterprise resource planning)
provider in the Middle East hosting multiple sites. The attackers
simultaneously delivered two different executables to the same physical server,
targeting two different organizations virtually hosted on it. The gang
misunderstood the infected server as two different physical systems, while
leaving tracks that were important for identifying BlackCat's operating style.
Kaspersky researchers determined that the actor exploits the risk of shared
assets across cloud resources. Additionally, in this case, the group also
delivered a Mimikatz batch file along with executables and Nirsoft network
password recovery utilities. A similar incident took place in 2019 when REvil,
a predecessor to BlackMatter activity, appeared to penetrate a cloud service
that supports a large number of dental offices in the US. It is most likely that BlackCat has also adopted some
of these older tactics.
The second case
involves an oil, gas, mining and construction company in South America and
reveals the connection between BlackCat and BlackMatter ransomware activity.
Not only did the affiliate behind this ransomware attack (which appears to be
different from the one in the previously mentioned case) attempt to deliver
BlackCat ransomware within the targeted network, it also preceded its delivery
of the ransomware with the installation of a modified custom exfiltration
utility, which we call "Fendr." This utility, which is also known as ExMatter,
had previously been used exclusively as part of BlackMatter's ransomware
activity.
"After
the REvil and BlackMatter groups shut down their operations, it was only a
matter of time before another ransomware group took over their niche," said Dmitry Galov, security researcher
at Kaspersky's Global Research and Analysis Team. "Knowledge of malware
development, a new written-from-scratch sample in an unusual programming
language and experience in maintaining infrastructure are turning the BlackCat
group into a major player in the ransomware market. By analyzing these major
incidents, we highlighted the main features, tools and techniques used by
BlackCat while penetrating their victims' networks. This knowledge helps us
keep our users safe and protected from known and unknown threats. We urge the
cybersecurity community to join forces and work together against new
cybercriminal groups for a safer future."
Learn more about the BlackCat ransomware
on Securelist.com.