Hacker hand stealing data from laptop showing BlackCat ransomware

FBI Alert Warns of BlackCat Ransomware That Compromised 60 Organizations in 4 Months

The Federal Bureau of Investigation (FBI) published a flash alert on the BlackCat ransomware group, also known as Noberus and AlphaV.

The alert warned that BlackCat ransomware has victimized at least 60 organizations worldwide and demanded millions of dollars in ransom payments as of March 2022.

Formed in November 2021, the BlackCat ransomware group works with experienced cybercriminals linked to the BlackMatter ransomware.

BlackCat ransomware group’s tactics, techniques, and procedures (TTPs)

The FBI alert says BlackCat ransomware leverages previously compromised user credentials to gain initial access. Next, the malware group compromises Windows Server Active Directory user and administrator accounts and configures malicious Group Policy Object using the Windows Task Scheduler to deploy the ransomware.

The malware disables network security during the initial deployment phases.  It leverages PowerShell scripts, Cobalt Strike, Windows administrative tools, and Microsoft Sysinternals. Additionally, the threat actors leverage Windows scripting to compromise additional hosts.

The FBI noted that the BlackCat ransomware group was the first threat actor to use the RUST programming language. RUST is considered more secure with improved performance and reliable concurrent processing. Security researchers say BlackCat’s executable supports multiple encryption methods, making it adaptable to various environments. BlackCat currently targets both Windows and Linux operating systems.

Additionally, RUST reduces the possibility of detection because many detection tools aren’t suited for all programming languages, according to AT&T Alien Labs.

BlackCat ransomware group exfiltrates data before encrypting devices. The double extortion publishes the stolen data on its “wall of shame” if the victims refuse to comply with its ransom demands.

BlackCat is an alliance of various ransomware gangs

The FBI alert linked BlackCat ransomware to the now-defunct BlackMatter ransomware group.

“Many of the developers and money launderers for BlackCat/ALPHV are linked to DarkSide/BlackMatter, indicating they have extensive networks and experience with ransomware operations,” the FBI wrote.

Similarly, Kaspersky and Cisco Talos Intelligence Group confirmed the link between BlackCat and BlackMatter ransomware groups. Kaspersky security researchers discovered that both gangs deployed the Fendr data exfiltration tool.

Brett Callow, a threat analyst at Emsisoft, even suggested that BlackCat ransomware had rebranded from BlackMatter ransomware.

However, a BlackCat ransomware representative told Recorded Future that the group was not a rebranding of BlackMatter ransomware. He claimed that BlackCat was a collection of affiliates from other Ransomware-as-a-Service (RaaS) groups, including BlackMatter/DarkSide, GandCrab/REvil, Maze/Egregor, LockBit, BlackByte, Avoslocker, Ragnar Locker, and others.

The representative added that BlackCat ransomware was a “mix of talents” from these RaaS groups that enhanced their advantages and eliminated their disadvantages.

BlackMatter ransomware wrapped up operations last year after concerted law enforcement activity following the high-profile compromise of Colonial Pipeline.

Emerging in November 2021, BlackCat ransomware victims include Swissport, German oil companies Oiltanking and Mabanaft, and Italian fashion giant Moncler. The group also claimed responsibility for compromising Florida International University and North Carolina A&T University.

“While the majority of BlackCat’s 60 victims were in the EU, more than 30% of BlackCat compromises have targeted US firms,” Alon Nachmany, Field CISO of AppViewX, said. “And with the FBI’s memo, it’s clear the U.S. government is expecting this to hit the states soon.”

The FBI discouraged victims from paying the ransom because the payment does not guarantee successful data recovery. Additionally, ransom payment incentivizes ransomware operators to target more organizations.

However, the agency advised organizations to analyze the situation individually and prioritize the interests of their shareholders, customers, and employees.

“As this malware focuses on compromising user credentials, organizations can instead replace the password with a digital certificate – the backbone to cybersecurity and keeping digital systems safe,” Nachmany said. “Simply put, passwords aren’t enough. People forget them and forget where they’re used.”