Posted on June 17, 2022 at 6:26 PM

BlackCat ransomware deployed on unpatched Exchange servers

Microsoft has warned its users about the BlackCat ransomware exploiting an unpatched vulnerability on the Exchange Server. The ransomware is conducting these exploits to target certain networks.

BlackCat targets unpatched Exchange server

Once these attackers get an entry point, they go ahead to speedily gather information about the affected machines. The next step is stealing user credentials and conducting lateral movement activities. The attackers later harvest the intellectual property and then drop the ransomware payload.

These events happened within two weeks. The Microsoft 365 Defender Threat Intelligence team released a report this week saying that compromised credentials were used to sign in to users’ accounts.

“In another incident we observed, we found that a ransomware affiliate gained initial access to the environment via an internet-facing Remote Desktop server using compromised credentials to sign in,” the researchers added. They also noted how deployments can differ despite being conducted by the same attacker.

BlackCat is one of the newest entries into the ransomware space. The ransomware also goes by other names like Noberus and ALPHV. It is also attributed to the first cross-platform ransomware written in Rust. This depicts a growing trend where threat actors are turning towards unpopular programming languages to avoid detection.

The ransomware-as-a-service (RaaS) program operates in a wide range of ways despite the initial access vectors that have been released. The scheme operates by exfiltrating and encrypting data that has been held in ransom to fulfill double extortion. This strategy has resulted in notable data loss for the targeted individuals and businesses.

The RaaS program has become very lucrative to the cybercriminal world. The model is sought-after by the individuals looking to achieve maximum economic benefits. The model is comprised of three key players.

The involved players in the scheme include the access brokers (IABs) tasked with compromising the network and maintaining persistence. Operators work by developing and maintaining the ransomware operations, while the affiliates that buy access from IABs use it to deploy the payload.

BlackCat is a growing threat

The US Federal Bureau of Investigations (FBI) recently released an alert about ransomware attacks using the BlackCat ransomware. These attacks have targeted around 60 institutions globally. The ransomware has been used since March 2022 and was first spotted in November 2021.

Microsoft added that “two of the most prolific” threat actor groups had been using the ransomware. Some of the ransomware families that have deployed BlackCat include Conti, Hive, LockBit 2.0, and REvil.

The other notorious threat actor group deploying the malware is DEV-0237. This group also goes by the name FIN12, which was last seen operating in the healthcare sector in October 2021. DEV-0504 has also been found to use the malware, and this threat actor has been active since 2020.

DEX-0504 is proactive and does not entirely rely on the RaaS scheme. Its behavior shows that after the RaaS model has shut down, it turns towards shifting payloads. This shows the aggressiveness of the actor in maintaining the ransomware attacks.

Last month, Microsoft released a report on this threat actor, saying, “DEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against fashion, tobacco, IT, and manufacturing companies, among others.”

These findings illustrate ransomware groups’ aggressiveness in targeting individuals and companies. The reports show that affiliate actors entered the RaaS bandwagon to monetize their attacks. The model has proven lucrative for ransomware groups operating out of financial motivations.

These threat actors have also adopted different pre-ransom steps to execute the ransomware payload. The payload is deployed within the network of the targeted organization. The ransomware also poses major risks to the conventional defense approaches that have been adopted by some organizations.

The researchers also added that more vigilance was needed to keep up with the activities of ransomware groups. These groups continued to wreak havoc on organizations and legacies that fail to implement the best internet practices by continuously changing their tactics.

“Detecting threats like BlackCat, while good, is no longer enough as human-operated ransomware continued to grow, evolve, adapt to the networks they’re deployed or the attackers they work for. These types of attacks continue to take advantage of an organization’s poor credential hygiene and legacy configurations or misconfigurations to succeed,” the researchers added.