In recent times, ransomware has become the go-to cyber attack tool among cybercriminals. Ransomware is usually spread through phishing emails, drive-by downloads, pirated software, and remote desk protocol, among others. Once a computer has been infected with ransomware, the ransomware encrypts critical files in the computer. Hackers then demand a ransom to restore the encrypted data. Cyber attacks can compromise a country’s national security, cripple operations in key sectors of an economy, and cause immense damage and serious financial losses. This is exactly what happened with the WannaCry ransomware cyber-attack. On May 12th, 2017, ransomware called WannaCry believed to have originated from North Korea, spread around the world and infected over 200,000 computer systems in over 150 countries in under two days. WannaCry targeted computer systems running the Windows operating system. It exploited a vulnerability in the operating system’s server message block protocol. One of the biggest victims of the attack was the United Kingdom National Health Service(NHS). Over 70,000 of their devices, including computers, theatre, diagnostic equipment, and MRI scanners, were infected. Doctors couldn’t access their systems or patient records needed to attend to patients. This attack cost the NHS close to 100 million dollars. That is how bad a can get. However, things can get much worse, especially with new and more dangerous Ransomware such as BlackCat, which is leaving behind a path full of victims.
BlackCat Ransomware
The BlackCat ransomware, referred to as ALPHV by its developers, is malicious software that, upon infecting a system, exfiltrates and encrypts data in the affected system. Exfiltration involves copying and transferring data stored in a system. Once BlackCat has exfiltrated and encrypted critical data, a demand for ransom payable in cryptocurrency is made. BlackCat victims are required to pay the demanded ransom to regain access to their data. BlackCat is no ordinary ransomware. BlackCat was the first successful ransomware to be written in Rust, unlike other ransomware that is typically written in C, C++, C#, Java, or Python. Additionally, BlackCat was also the first ransomware family to have a website on the clear web where they leak stolen information from their attacks. Another key difference from other Ransomware is that BlackCat operates as Ransomware as a service(RaaS). Raas is a cybercrime business model where ransomware creators rent or sell their ransomware as a service to other individuals or groups. In this model, ransomware creators provide all the necessary tools and infrastructure for others to distribute and execute ransomware attacks. This is in exchange for a share of their profits gotten from ransomware payments. This explains why BlackCat has mostly targeted organizations and businesses, as they are usually more willing to pay the ransom compared to individuals. Organizations and businesses also pay a bigger ransom compared to individuals. Human guiding and making decisions in cyber attacks are known as Cyber Threat actors(CTA). To compel victims to pay the ransom, BlackCat uses the ‘triple extortion technique’. This involves copying and transferring the victims’ data and encrypting the data on their systems. The victims are then asked to pay ransom to access their encrypted data. Failure to do that results in their data being leaked to the public and/or denial of service(DOS) attacks launched on their systems. Finally, those who will be affected by the data leak are contacted and informed that their data will be leaked. These are usually customers, employees, and other company affiliates. This is done to pressure the victim organizations to pay ransom to avoid reputational loss and lawsuits resulting from data leakage.
How BlackCat Ransomware Works
According to a flash alert released by the FBI, the BlackCat ransomware uses previously compromised user credentials to gain access to systems. Once successfully in the system, BlackCat uses the access it has to compromise the user and administrator accounts stored in the active directory. This allows it to use Windows Task Scheduler to configure malicious Group Policy Objects(GPOs) that allow BlackCat to deploy its ransomware to encrypt files in a system. During a BlackCat attack, PowerShell scripts are used together with Cobalt Strike to disable security features in a victim’s network. BlackCat then steals the victims’ data from where it is stored, including from cloud providers. Once this is done, the cyber threat actor guiding the attack deploys BlackCat ransomware to encrypt data in the victim’s system. Victims then get a ransom note informing them their systems have suffered an attack and important files encrypted. The ransom also provides instructions on how to pay the ransom.
Why is BlackCat more dangerous than the average ransomware?
BlackCat is dangerous compared to the average ransomware for a number of reasons:
It is written in Rust
Rust is a programming language that is fast, secure, and offers improved performance and efficient memory management. By using Rust, BlackCat reaps all these benefits, making it a very complex and efficient ransomware with fast encryption. It also makes BlackCat difficult to reverse engineering. Rust is a cross-platform language that allows threat actors to easily customize BlackCat to target different operating systems, such as Windows and Linux, increasing their range of potential victims.
It uses a RaaS business model
BlackCat’s use of ransomware as a service model allows many threat actors to deploy complex ransomware without having to know how to create one. BlackCat does all the heavy lifting for threat actors, who just need to deploy it in a vulnerable system. This makes sophisticated ransomware attacks easy for threat actors interested in exploiting vulnerable systems.
It offers huge payouts to affiliates
With BlackCat employing a Raas model, the creators make money by taking a cut from the ransom paid to threat actors who deploy it. Unlike other Raas families that take up to 30% of a threat actor’s ransom payment, BlackCat allows threat actors to keep 80% to 90% of the ransom they make. This increases the appeal of BlackCat to threat actors allowing BlackCat to get more affiliates willing to deploy it in cyber attacks.
It has a public leak site on the clear web
Unlike other ransomware that leaks stolen information on the dark web, BlackCat leaks stolen information on a website accessible on the clear web. By leaking stolen data in the clear, more people can access the data, increasing the repercussions of a cyber attack and putting more pressure on victims to pay the ransom. The Rust programming language has made BlackCat very effective in its attack. By using a Raas model and offering a huge payout, BlackCat appeals to more threat actors who are more likely to deploy it in attacks.
BlackCat Ransomware Infection Chain
BlackCat gains initial access to a system using compromised credentials or by exploiting Microsoft Exchange Server vulnerabilities. After gaining access to a system, the malicious actors take down the system’s security defenses and gather information about the victim’s network and elevate their privileges. BlackCat ransomware then moves laterally in the network, gaining access to as many systems as possible. This comes in handy during the ransom demand. The more systems under attack, the more likely a victim will pay the ransom. Malicious actors then exfiltrate the system’s data which is to be used in extortion. Once critical data has been exfiltrated, the stage is set for the BlackCat payload to be delivered. Malicious actors deliver BlackCat using Rust. BlackCat first stops services such as backups, antivirus applications, Windows Internet services, and virtual machines. Once this is done, BlackCat encrypts files in the system and defaces a system’s background image replacing it with the ransom note.
Protect from BlackCat Ransomware
Although BlackCat is proving to be more dangerous than other ransomware witnessed before, organizations can protect themselves from the ransomware in a number of ways:
Encrypt Critical Data
Part of Blackhat’s extortion strategy involves threatening to leak a victim’s data. By encrypting critical data, an organization adds an extra layer of protection to its data, thus crippling the extortion techniques used by BlackHat threat actors. Even if it is leaked, it will not be in a human-readable format.
Regularly update systems
In research undertaken by Microsoft, it was revealed that in some cases, BlackCat exploited unpatched exchange servers to gain access to an organization’s systems. Software companies regularly release software updates to address vulnerabilities and security issues that might have been discovered in their systems. To be safe, install software patches as soon as they are available.
Backup data in a safe location
Organizations should prioritize regularly backing up data and storing the data in a separate and safe offline location. This is to ensure that even in the case of critical data being encrypted, it can still be restored from existing backups.
Implement multi-factor authentication
In addition to using strong passwords in a system, implement multifactor authentication, which requires multiple credentials before access to a system is granted. This can be done by configuring a system to generate a one-time password sent to a linked phone number or email, which is required to access a system.
Monitor activity on a network and files in a system
Organizations should constantly monitor activity on their networks to detect and respond to suspicious activities in their networks as fast as possible. Activities on a network should also be logged and reviewed by security experts to identify potential threats. Finally, systems should be put in place to track how files in a system are accessed, who accesses them and how they are used. By encrypting critical data, ensuring systems are up to date, regularly backing up data, implementing multi-factor authentication, and monitoring activity in a system. Organizations can be steps ahead and prevent attacks by BlackCat.
Learning Resources: Ransomware
To learn more about cyber attacks and how to protect yourself against attacks from ransomware such BlackCat, we recommend taking either of these courses or reading the books suggested below:
#1. Security Awareness Training
This is an amazing course for everyone interested in being safe on the internet. The course is offered by Dr. Michael Biocchi, a Certified Information Systems Security Professional(CISSP). The course covers phishing, social engineering, data leakage, passwords, safe browsing, and personal devices and offers general tips on how to be safe online. The course is regularly updated, and everyone using the internet stands to benefit from it.
#2. Security Awareness Training, Internet Security for Employees
This course is tailored to everyday internet users and aims to educate them on security threats people are often unaware of and how to protect themselves against the threats. The course offered by Roy Davis, a CISSP-certified information security expert, covers user and device accountability, phishing and other malicious emails, social engineering, data handling, password and security questions, safe browsing, mobile devices, and Ransomware. Completing the course gets you a certificate of completion, which is enough to be compliant with data regulation policies at most workplaces.
#3. Cyber Security: Awareness Training for Absolute Beginners
This is a Udemy course offered by Usman Ashraf from Logix Academy, a Training and Certifications startup. Usman is CISSP certified and has a Ph.D. in computer networks and lots of industry and teaching experience. This course offers learners a deep dive into social engineering, passwords, secure data disposal, virtual private networks(VPNs), malware, ransomware, and safe browsing tips and explains how cookies are used to track people. The course is non-technical.
#4. Ransomware Revealed
This is a book by Nihad A. Hassan, an independent information security consultant and an expert in cyber security and digital forensics. The book teaches how to mitigate and handle ransomware attacks and gives readers an in-depth look at the different types of ransomware that exist, their distribution strategies and recovery methods. The book also covers steps to follow in case of ransomware infection. This encompasses how to pay ransoms, how to perform backups and restore affected files, and how to search online for decryption tools to decrypt infected files. It also covers how organizations can develop a ransomware incident response plan to minimize ransomware damage and recover normal operations quickly.
#5. Ransomware: Understand. Prevent. Recover
In this book, Allan Liska, a senior security architect and ransomware specialist at Recorded Future, answers all the hard questions relating to Ransomware. The book gives a historical context of why ransomware has become prevalent in recent years, how to stop ransomware attacks, vulnerabilities that malicious actors target using ransomware, and a guide to surviving a ransomware attack with minimal damage. Additionally, the book answers the all-important question, should you pay the ransom? This book offers an exciting exploration of ransomware.
#6. Ransomware Protection Playbook
To any individual or organization looking to arm themselves against ransomware, this book is a must-read. In this book, Roger A. Grimes, an expert in computer security and penetration, offers his vast experience and knowledge in the field to help people and organizations protect themselves from ransomware. The book offers an actionable blueprint for organizations seeking to formulate robust defenses against ransomware. It also teaches how to detect an attack, limit damage quickly, and determine whether to pay the ransom or not. It also offers a game plan to help organizations limit reputation and financial damage caused by serious security breaches. Finally, it teaches how to come up with a secure foundation for cybersecurity insurance and legal protection to mitigate the disruption to business and everyday life.
Author’s Note
BlackCat is a revolutionary ransomware that is bound to change the status quo when it comes to cyber security. As of March 2022, BlackCat had successfully attacked over 60 organizations and managed to gain the attention of the FBI. BlackCat is a serious threat, and no organization can afford to ignore it. By employing a modern programming language and unconventional methods of attack, encryption, and ransom extortion, BlackCat has left security experts playing catchup. However, the war against this ransomware is not lost. By implementing strategies highlighted in this article and minimizing the opportunity for human error to expose computer systems, organizations can remain a step ahead and prevent the catastrophic attack of BlackCat ransomware.