BlackCat Ransomware gang breached over 60 orgs worldwide

Pierluigi Paganini April 25, 2022

At least 60 entities worldwide have been breached by BlackCat ransomware, warns a flash report published by the U.S. FBI.

The U.S. Federal Bureau of Investigation (FBI) published a flash report that states that at least 60 entities worldwide have been breached by BlackCat ransomware (aka ALPHV and Noberus) since it started its operations in November.

“The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide.” reads the flash advisory. “CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW and apply the recommended mitigations.”

The list of the victims of the gang includes Moncler, the Swissport, and Inetum.

The BlackCat/ALPHV a Ransomware was first discovered in December by malware researchers from Recorded Future and MalwareHunterTeam. The malware is the first professional ransomware strain that was written in the Rust programming language.

BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited. The popular malware researcher Michael Gillespie said that the BlackCat ransomware is “very sophisticated.

Recorded Future experts speculate that the author of the BlackCat ransomware, known as ALPHV, was previously involved with the REvil ransomware operations.

According to the alert, many of the developers and money launderers for gang are linked to
Darkside/Blackmatter operations.

ALPHV has been advertising the BlackCat Ransomware-as-a-Service (RaaS) on the cybercrime forums XSS and Exploit since early December. Like other ransomware groups, the gang also implements a double-extortion model, threatening to leak the stolen data if the victims don’t pay.

ALPHV is attempting to recruit affiliates for its operations, offering them between 80% and 90% of the final ransom, depending on its value. The BlackCat operations only hit a small number of victims at this time in the USA, Australia, and India.

Ransom demands range from a few hundreds of thousands up to $3M worth of Bitcoin or Monero.

The alert includes indicators of compromise (IoCs) associated with BlackCat/ALPHV, as of mid-February 2022.

The FBI is seeking any information that can be shared related to the operations of the BlackCat ransomware operation.

Below are recommended mitigations included in the alert:

  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system defined or recognized scheduled tasks for unrecognized “actions” (for example: review the steps each scheduled task is expected to perform).
  • Review antivirus logs for indications they were unexpectedly turned off.
  • Implement network segmentation.
  • Require administrator credentials to install software.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Use multifactor authentication where possible.
  • Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
  • Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update antivirus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network (VPN).
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BlackCat ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment