BlackCat Ransomware Hit More Than 60 Organizations Worldwide, FBI Says

In a TLP:WHITEFLASH alert released yesterday in coordination with CISA, the FBI says the notorious BlackCat ransomware gang breached more than 60 organization networks worldwide between November 2021 and March 2022.

The document is part of a series of reports that zero in on indicators of compromise (IOC) and tactics, techniques and procedures (TTP) linked to ransomware strains identified by the FBI during previous investigations.

BlackCat, also known as ALPHV, is a cybercrime group that runs a Ransomware-as-a-Service (RaaS) operation. The malicious campaign compromised at least 60 entities worldwide and “is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing,” according to the FBI’s FLASH alert.

The ransomware uses previously compromised credentials to breach the target machine. Once it gains access, BlackCat configures malicious Group Policy Objects (GPOs) through Windows Task Scheduler to deploy ransomware.

Initially, the malware exploits a combination of PowerShell scripts and Cobalt Strike to disable security features on the compromised network. During the attack, BlackCat/ALPHV also leverages Microsoft Sys internals and Windows administrative tools, steals victim data, and spreads ransomware to additional hosts by exploiting Windows scripting.

The FBI urges victims to cooperate with authorities and advises them not to pay the ransom. They also encourage victims to share any information that might help them catch the perpetrators, including IP logs, Bitcoin or Monero transaction IDs and addresses, the decryptor file, any communication with the threat actors, or a “benign sample of an encrypted file.”

The FBI also included a list of recommended mitigation measures to help network administrators steer clear of BlackCat ransomware attacks, such as:

• Implementing network segmentation
• Backing up data regularly
• Performing cold backups (offline, or at least not in the location where the original data resides)
• Checking Windows Task Scheduler regularly for unrecognized scheduled tasks
• Reviewing antivirus logs
• Keeping antivirus and antimalware software up to date on all hosts
• Using Multi-Factor Authentication (MFA)
• Prioritizing system updates and patches
• Disabling unused remote access ports and monitoring remote access logs