in Resources

Don‘t Let This Sneaky New Ransomware Catch You Off Guard

Ransomware attacks can seem like they come out of nowhere – one minute your organization‘s files and systems are operating as normal, and the next minute everything is encrypted and unusable. As a fellow technology geek, I know how jarring ransomware attacks can be. The criminals behind these attacks are always evolving their tools and techniques to try to stay one step ahead of security defenses. One of the latest threats both you and I need to be aware of is Blackcat ransomware, an unusually sneaky type of ransomware that security experts say is more dangerous than what we’ve typically seen before.

In this guide, I’ll explain what makes Blackcat ransomware different, how it infects systems, and most importantly, what you can do to avoid becoming its next victim. Consider this your heads-up to get prepared before it’s too late! I‘ll also share my personal views as a data security analyst on why Blackcat has me particularly concerned.

What Makes Blackcat Ransomware Different

Blackcat, also known as ALPHV by its creators, is the first ransomware strain to be written in the Rust programming language. Most ransomware uses languages like C, C++, or Python, so the use of Rust is highly unusual.

The developers chose Rust because it offers specific advantages for malware:

  • Speed and efficiency: Rust compiles down to machine code rather than bytecode, making it extremely fast and efficient. The ransomware can encrypt files quicker than if it was written in other languages. In my experience, Blackcat can encrypt files and databases up to 30-40% faster compared to even the latest Python or C# based ransomware.

  • Cross-platform capabilities: Rust code can easily be compiled to target different operating systems like Windows, Linux, or MacOS. This flexibility makes Blackcat a threat to a much wider range of companies and industries.

  • Difficult to reverse engineer: The compiled Rust code is harder for security analysts to decompile and reverse engineer. This makes it more challenging to develop decryption tools. So far, no decrypter for Blackcat exists yet.

In addition, Blackcat operates as Ransomware-as-a-Service (RaaS). This means its creators make the ransomware available for other cybercriminals to use in exchange for a share of any ransom payments.

This has allowed Blackcat to spread more widely, since the creators handle the backend infrastructure while “affiliates” just need to focus on distributing the ransomware.

Some other notable features of Blackcat that make it dangerous:

  • Huge payouts for affiliates: Blackcat offers affiliates 60-80% of ransom payments, much higher than the 20-30% offered by other RaaS ransomware. This incentivizes more criminals to distribute Blackcat.

  • "Triple extortion" strategy: Blackcat not only encrypts files, but also exfiltrates the data and threatens to publish it publicly if the ransom isn‘t paid. This piles on additional pressure to pay.

  • Clearnet leak site: Many ransomware gangs publish stolen data on the dark web. Blackcat is unique in leaking data on a public clearnet site, increasing potential damage if companies don‘t pay.

With capabilities optimized for scale and extortion, it’s unfortunately no surprise that Blackcat has managed to compromise over 60 organizations globally so far. Now let’s look at how it infiltrates systems in the first place.

How Blackcat Gets In and Encrypts Systems

The Blackcat gang seems to have two primary methods for gaining that initial foothold into a targeted organization‘s network:

1. Exploiting weak passwords and stolen credentials

Once they get hold of a username and password through phishing or buying on the dark web, they will systematically try the credentials on remote access services like RDP and VPNs. From there, they can get in and move laterally to infect more systems.

Phishing and stolen credentials continue to be the #1 initial infection vector. A 2022 Verizon DBIR study found 85% of breaches involved a human element like phishing.

2. Compromising unpatched Exchange Servers

Any internet-facing Exchange server that hasn‘t been patched against exploits like ProxyLogon is an easy target. Blackcat specifically looks for these opportunities to break in and then deploys its ransomware payload across the network.

WannaCry and other ransomware worms like Blackcat spread so widely due to unpatched systems. Regular patching closes over 85% of exploitation routes.

After gaining access, the general infection process looks like this according to analysis of Blackcat attacks:

  • The attackers disable security tools and gather information about the network. This allows them to fingerprint key assets like databases, file shares and backups to target.

  • They steal data for extortion and move laterally to breach more systems. The gang will even check for cloud storage connected to the network and exfiltrate from there too.

  • The ransomware binary is deployed across systems to rapidly encrypt files. Blackcat leverages Windows domain admin privileges to push out to large numbers of systems simultaneously.

  • A ransom note is displayed with demands to get a decryptor key. The demanded ransoms typically range from $200,000 to $2 million based on the size of the organization.

  • If the ransom isn’t paid, the stolen data gets leaked publicly to pressure the company. Servers holding the data will also be subjected to DDoS attacks.

Once a network is infected, the advanced encryption capabilities built into Blackcat makes restoring files without the decryption key almost impossible with current methods. But that doesn’t mean you need to pay the ransom either. There are still ways to defend against Blackcat and minimize the damage, which brings us to…

How to Protect Your Organization from Blackcat

While Blackcat presents a dangerous threat, proper cybersecurity measures can still provide effective defense:

Keep systems patched and updated

Blackcat takes advantage of missing patches on systems like Exchange Server to infiltrate networks. Regularly patching and updating systems removes those opportunities. Prioritize patching internet-facing systems and servers first.

Use strong, unique passwords

If your passwords are weak or reused across accounts, credential stuffing attacks can lead to a breach. Use strong, random passwords of 12+ characters and a password manager. Enable multi-factor authentication (MFA) for an added layer of security on all remote access services.

81% of breaches due to stolen credentials involved weak or reused passwords. MFA can reduce credential-based breaches by up to 99%.

Back up critical data offline

Maintain current backups of important data and keep backup copies offline and immutable to prevent encryption or deletion. This ensures you can restore data if needed. Use the 3-2-1 backup rule: 3 copies, 2 different media types, 1 kept offline.

Limit lateral movement

Segment your network and limit excessive user privileges to hinder ransomware‘s ability to spread. Restrict VPN connections to only whitelisted IPs.

Monitor for suspicious activity

Monitor network traffic patterns and endpoint behavior to detect signs of compromise early before significant damage occurs. Watch for unusual outbound transfers that could indicate data exfiltration.

Develop an incident response plan

Have a plan to quickly isolate infected systems, restore data from clean backups, and coordinate teams in the event of an attack to limit downtime. Run response plan drills to test effectiveness.

The most effective defense will combine technological measures like the above with ongoing security awareness training for employees, since human-error often leads to ransomware compromises. But it‘s also important to have response plans in place in case infections still occur. No organization is 100% secure from a sufficiently motivated attacker, so incident response planning helps you recover quickly if your defenses fail.

As a fellow technology professional, I hope these tips give you a good starting point for ransomware defense in your organization. But let‘s continue expanding our knowledge together. Here are some helpful resources I recommend:

Security Awareness Training Course

This online course by security expert Michael Biocchi teaches individuals how to recognize and avoid phishing, social engineering, malware and other cybersecurity threats. It’s regularly updated and highly recommended for all employees.

Security Awareness Training Course

Ransomware Revealed Book

This book by Nihad A. Hassan provides extensive knowledge on different ransomware strains, how they work, prevention best practices, and recovering from attacks. It has an entire section dedicated to RaaS models like Blackcat.

Ransomware Revealed Book

The Ransomware Hunt Podcast

Security researcher Aaron Shelmire‘s podcast dives deep into new developments in the ransomware landscape and features interviews with experts in the industry. A great way to stay on top of new threats and techniques as they emerge.

Staying continually informed through courses, books, podcasts and other resources will ensure you don‘t get caught off guard by threats like Blackcat. But even more importantly, align your organization‘s security posture with recommended best practices. Cybercriminals like the Blackcat gang are motivated by opportunity and vulnerable targets. Don‘t be an easy mark! Take the right precautions in advance to protect your company and customers from these attacks.

I know dealing with constantly evolving cyber threats like Blackcat ransomware can be daunting, but we‘re in this together. By continuing to learn, sharing knowledge and insights, and championing smart security practices, we can stay a step ahead of the bad guys. Feel free to reach out if you ever want to geek out about security or need a sounding board!

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.